Cloud computing company Snowflake warned its customers over the weekend that hackers appear to be targeting accounts that don't use multifactor authentication (MFA).

Why it matters: The warning is the latest installment in a confusing and rapidly evolving tale that may also involve the headline-grabbing Ticketmaster breach.

State of play: A domino effect of events has been unfolding since last week when a hacker group started advertising stolen Ticketmaster customer information for $500,000 on a popular hacker forum.

• A few days after the post, a cybersecurity vendor issued a since-deleted report in which a hacker claimed the group had stolen data from Ticketmaster and Santander Bank via their Snowflake accounts. (The cybersecurity vendor said Monday it had taken down the post after receiving a letter from Snowflake's legal counsel.)
• On Friday, Ticketmaster-parent Live Nation issued a public 8-K filing saying it had identified "unauthorized activity within a third-party cloud database" on May 20. A company spokesperson told TechCrunch that the affected database was hosted on Snowflake.
• Snowflake then issued a joint statement with CrowdStrike and Mandiant over the weekend saying it had zero evidence that recent unauthorized access of user accounts was due to a software vulnerability, company breach or product misconfiguration.
• Snowflake added that it appears these malicious actors leveraged credentials "previously purchased or obtained through infostealing malware" to access some customers' accounts, as well as stolen credentials to access a former employee's demo accounts.

Threat level: The precise extent of the unauthorized access — and whether it's directly tied to these massive, headline-grabbing corporate leaks — is still being determined.

• If the hackers are to be believed, at least 500 million people's personal information, including financial data and home addresses, could have been stolen.
• A top Australian cyber agency warned Saturday that it's tracking "increased cyber threat activity" related to Snowflake customer environments.
• Snowflake said that only a "limited number" of customers have been affected, but it did not provide a specific number. Snowflake's customers include JetBlue, Mastercard, Honeywell and other major companies.
• Mandiant Consulting CTO Charles Carmakal told BleepingComputer that his firm has been assisting compromised Snowflake customers for several weeks already.

What they're saying: "The question is what kind of net increase in risk does that actually add to most people?" Rafe Pilling, director of threat intelligence at Secureworks' Counter Threat Unit, told Axios. "It probably feeds into just the run-of-the-mill volume of scams that most people receive on a day-to-day basis."

Between the lines: Even as companies move to the cloud for data storage and analytics, the same old hacking tactics will follow them.

• All internet-facing databases need to have some sort of MFA added to them to keep attackers out, Pilling said.

But MFA can be difficult for companies to keep up with, Pilling noted.

• Some small businesses might need to share passwords for a single enterprise account that makes MFA hard to enforce. Or an employee could encounter infostealer malware when logging into their personal account on a work laptop.

The big picture: Stolen credentials remain a relatively easy way for attackers to break into accounts.

• IBM reported a 71% increase in the number of attacks relying on valid login credentials in 2023 compared with 2022, for instance.

The bottom line: Snowflake has published a list of attack indicators that can help customers determine if they've been affected.

• The company also recommended that all customers immediately turn on MFA for their accounts and set up a policy to review who has access to these accounts.

Google is providing $15 million to create new cybersecurity clinics at universities across the country, the company announced today.

Why it matters: The 15 new clinic programs are designed to attract more students to a cybersecurity career, while also helping resource-strapped small businesses get the security help they need.

• Cybersecurity clinics operate similarly to law school clinics: Students spend a semester consulting with a local small business to help improve its cyber defenses and provide other cybersecurity services.

Zoom in: Google is providing $1 million to help support new programs at Dakota State University, the University of Texas at El Paso, Spelman College and several others.

• Schools submitted applications as part of a new Google initiative, and partnering organizations conducted webinars and other outreach to attract a diverse applicant pool.

The intrigue: Google originally only planned to invest a total of $20 million and back 10 new clinics and expand a few existing programs — but the application pool inspired the company to invest an additional $5 million, bringing the total to $25 million by 2025.

• Google is also providing free Titan security keys, scholarships for the company's cybersecurity certificate program, and mentorship for new clinics.

What they're saying: The new funding "just has so many amazing downstream effects," Heather Adkins, Google's vice president of security engineering, told Axios. "A business owner will go home and think about the personal security in their household and teach their kid, and it creates this lovely virtual cycle of building everyone up."

The big picture: Cyberattacks are one of small-business owners' biggest fears — in part because they lack the time, money and headcount to properly invest in cybersecurity.

• The industry has also struggled to recruit and retain enough cyber workers to meet demand.

What's next: Each of the new clinics is slated to start operating either in the upcoming fall semester or next spring, Ann Cleaveland, executive director of UC Berkeley's Center for Long-Term Cybersecurity, told Axios.

• The clinics will also become members of the Consortium of Cybersecurity Clinics, which the UC Berkeley center co-chairs, where they'll receive additional long-term mentorship and support.

Russian propagandists are seeking to discredit the International Olympic Committee (IOC) and incite fears of terrorism at this summer's Olympic Games in Paris, according to a Microsoft report released this week.

Why it matters: The report warned that the Russian campaign could expand and intensify in the run-up to the start of the Paris Games in late July.

Driving the news: "Prolific Russian influence actors" known as Storm-1679 and Storm-1099 have spearheaded the online campaign to sow fear about the Olympics, according to the report from the Microsoft Threat Analysis Center.

• Efforts to target the Paris Games began in June 2023, when Storm-1679 released a fake documentary called "Olympics Has Fallen." It was narrated by AI-generated audio that resembled the voice of Tom Cruise and ridiculed IOC leadership, per a Microsoft press release.
• The film also had a bogus marketing campaign featuring fake five-star reviews from the Washington Post and the New York Times.

State of play: Over the past year, Storm-1679 has released a series of videos made to look like news reports from real media outlets regarding fears of violence at the Paris Games.

• One of the videos — purported to be from Brussels-based Euronews — claimed that Parisians were buying property insurance ahead of the Games for fear of terrorist attacks.
• The "most worrisome" efforts have seen Storm-1679 take advantage of the ongoing Israel-Hamas war to impersonate militants and threaten violence against Israelis attending the Games.
• The group Storm-1099 has released spoofs of French media outlets warning of violence at the Games and playing up allegations of corruption at the IOC.

Threat level: "We are likely to see renewed efforts to launch influence campaigns messaging in English, German, French, and other languages to maximize visibility and traction online" as the Games draw nearer, the report stated.

• This will likely include a "tactical shift" from video to online bots and automated social media accounts that can flood social media channels while offering Russia plausible deniability, per the report.
• The IOC did not respond Monday to a request for comment on the report.

@ D.C.

🏛️ The Federal Trade Commission has held meetings with tech executives to inform a possible antitrust probe into Microsoft's licensing and bundling strategies, including the cybersecurity implications. (Nextgov/FCW)

📝 The Department of Health and Human Services will now allow Change Healthcare to file breach notifications on behalf of thousands of organizations affected by its ransomware attack. (The Record)

@ Industry

⚠️ More than a dozen current and former employees of OpenAI and Google DeepMind have signed a letter expressing concerns about the industry's approach to safety. (Axios)

💻 Security researchers are starting to dig into Microsoft's new Recall feature — and they're not too happy about its potential impact on a device's cybersecurity. (The Verge)

👀 A recently obtained internal Google database details six years' worth of potential privacy and security issues at the company, including accidental data collection and leaked information. (404 Media)

@ Hackers and hacks

🤖 Hugging Face said it detected "unauthorized access" early last week to its Spaces platform, where users can create, share or host AI models and resources. (TechCrunch)

📈 Researchers at Mandiant say they saw a significant resurgence in ransomware activity in 2023. (CyberScoop)

Lots of silliness to unpack in Washington already this week!