Snowflake Data Breach Linked to Satander and Ticketmaster Breaches

Written by Mitchell Langley

June 5, 2024

Snowflake Data Breach Linked to Satander and Ticketmaster Breaches

The alleged Snowflake Data Breach has impacted several major organizations including Ticketmaster and Santander Bank through unauthorized access to cloud data stored in Snowflake accounts.

Snowflake Data Breach Caused by Hackers Using Credential Stuffing

Security researchers have linked the Ticketmaster data breach and Santander Bank breach to credential stuffing attacks targeting Snowflake, a popular cloud data management platform.

In mid-May, Santander disclosed that customer information in Chile, Spain and Uruguay was compromised along with data on all former and current employees.

Ticketmaster also notified customers in late May that their user data was involved in an unauthorized data access through a third-party cloud vendor. On May 27th, the hacking group ShinyHunters claimed to have stolen the data of over 560 million Ticketmaster customers, asking for a $500,000 ransom.

Both companies did not name Snowflake initially but the cloud vendor later acknowledged an investigation into a “targeted threat campaign” against some customer accounts.

ShinyHunters Claim Access to Hundreds of Snowflake Accounts

In a conversation with security researchers from Hudson Rock, a threat actor known as ShinyHunters who claimed responsibility for the breaches said they had access to data from over 400 Snowflake customer accounts. Hudson Rock published these claims in a since-deleted blog post.

Some of the organizations named by the hackers included Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, and State Farm in addition to Ticketmaster and Santander Bank.

The Australian Cyber Security Center also indicated it was aware of “successful compromises of several companies utilizing Snowflake environments” and was monitoring increased threat activity related to customer environments.

The hackers were reportedly demanding $20 million from Snowflake in exchange for not leaking the stolen data online.

Snowflake Denies Claims of Hackers Breaching Its Platform

Snowflake acknowledged an increase in threat activity targeting some customer accounts but denies any platform vulnerabilities were exploited.

“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake’s platform. We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel.

This appears to be a targeted campaign directed at users with single-factor authentication. As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware.” Snowflake said in a statement.

However, researchers point to inconsistencies in Snowflake’s statements.

Evidence suggests the threat actor obtained credentials for a Snowflake employee’s ServiceNow account, bypassing Okta protections to generate session tokens allowing direct access to customer data on Snowflake systems.

Researchers also quoted the hackers claiming to have accessed data on over 500 Snowflake demo environments and an infostealer log showing a Snowflake employee was infected in October 2023. While Snowflake says the demo account access was through non-sensitive systems, they confirm credentials for a former employee’s demo account lacking multifactor authentication were compromised.

Organizations Take Action in Response to Snowflake Data Breach

In response to the cyber incidents, organizations are taking steps to secure their cloud environments and protect customers. Snowflake is recommending all customers immediately implement multifactor authentication and reset credentials for all active accounts. The company is also sharing indicators of compromise with impacted customers to help detect any suspicious activity.

For organizations utilizing Snowflake, security experts advise disabling inactive accounts, ensuring multifactor authentication is enabled for all accounts, and applying the mitigation guidance from Snowflake.

The incidents highlight the risks of credential theft and improper access controls even on systems like demo environments.

Related Articles

How AI is Revolutionizing Phishing Attacks

How AI is Revolutionizing Phishing Attacks

 -  New: New Phishing attacks have long been a major concern for enterprise organizations wordwide. As technology continues to advance, cybercriminals are finding new and innovative ways to exploit vulnerabilities and deceive unsuspecting individuals. In recent years,...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!