The alleged Snowflake Data Breach has impacted several major organizations including Ticketmaster and Santander Bank through unauthorized access to cloud data stored in Snowflake accounts.
Snowflake Data Breach Caused by Hackers Using Credential Stuffing
Security researchers have linked the Ticketmaster data breach and Santander Bank breach to credential stuffing attacks targeting Snowflake, a popular cloud data management platform.
In mid-May, Santander disclosed that customer information in Chile, Spain and Uruguay was compromised along with data on all former and current employees.
Ticketmaster also notified customers in late May that their user data was involved in an unauthorized data access through a third-party cloud vendor. On May 27th, the hacking group ShinyHunters claimed to have stolen the data of over 560 million Ticketmaster customers, asking for a $500,000 ransom.
Both companies did not name Snowflake initially but the cloud vendor later acknowledged an investigation into a “targeted threat campaign” against some customer accounts.
ShinyHunters Claim Access to Hundreds of Snowflake Accounts
In a conversation with security researchers from Hudson Rock, a threat actor known as ShinyHunters who claimed responsibility for the breaches said they had access to data from over 400 Snowflake customer accounts. Hudson Rock published these claims in a since-deleted blog post.
Some of the organizations named by the hackers included Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, and State Farm in addition to Ticketmaster and Santander Bank.
The Australian Cyber Security Center also indicated it was aware of “successful compromises of several companies utilizing Snowflake environments” and was monitoring increased threat activity related to customer environments.
The hackers were reportedly demanding $20 million from Snowflake in exchange for not leaking the stolen data online.
Snowflake Denies Claims of Hackers Breaching Its Platform
Snowflake acknowledged an increase in threat activity targeting some customer accounts but denies any platform vulnerabilities were exploited.
“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake’s platform. We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel.
This appears to be a targeted campaign directed at users with single-factor authentication. As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware.” Snowflake said in a statement.
However, researchers point to inconsistencies in Snowflake’s statements.
Evidence suggests the threat actor obtained credentials for a Snowflake employee’s ServiceNow account, bypassing Okta protections to generate session tokens allowing direct access to customer data on Snowflake systems.
Researchers also quoted the hackers claiming to have accessed data on over 500 Snowflake demo environments and an infostealer log showing a Snowflake employee was infected in October 2023. While Snowflake says the demo account access was through non-sensitive systems, they confirm credentials for a former employee’s demo account lacking multifactor authentication were compromised.
Organizations Take Action in Response to Snowflake Data Breach
In response to the cyber incidents, organizations are taking steps to secure their cloud environments and protect customers. Snowflake is recommending all customers immediately implement multifactor authentication and reset credentials for all active accounts. The company is also sharing indicators of compromise with impacted customers to help detect any suspicious activity.
For organizations utilizing Snowflake, security experts advise disabling inactive accounts, ensuring multifactor authentication is enabled for all accounts, and applying the mitigation guidance from Snowflake.
The incidents highlight the risks of credential theft and improper access controls even on systems like demo environments.
