Snowflake Accused Of Massive Data Breaches Related To Ticketmaster And Santander Bank

The American cloud company Snowflake Inc. has been accused of being responsible for two major recent data breaches of its customers Ticketmaster and Santander where hackers stole sensitive information from 560 million and 30 million users respectively. However, Snowflake denies responsibility for these attacks.

Live Nation, the American entertainment company, issued a statement for the Securities and Exchange Commission of the U.S. acknowledging it “identified unauthorized activity within a third-party cloud database environment” linked to Ticketmaster on May 20. TechCrunch revealed that the stolen data was hosted on Snowflake’s cloud storage.

On the other hand, Santander Bank, another Snowflake client, confirmed through a public statement a third-party data breach a few weeks ago. According to the document, the attackers stole information from customers in Chile, Uruguay, and Spain, as well as data from current and former employees globally.

According to the BBC, hackers have been selling the information on the dark web. The 1.3 terabytes of stolen data from Ticketmaster—allegedly including customer’s names, phone numbers, partial credit card information, addresses, and order details—has been offered for $500,000, while Santader’s data—containing bank account balances, credit card information, and staff details according to hacker’s ad—is being sold for $2 million.

The group ShinyHunters claims to be responsible for the attacks on both companies and is encouraging them to buy the data back, but experts say this must be carefully studied as it might be a publicity stunt.

Snowflake has been linked to the attacks, but, even if both companies are indeed its clients, the cloud company shared a statement assuring that their research proves that hackers couldn’t access that information through their platform. Rather, Snowflake claims it was caused by vulnerabilities on their client’s systems.

Rumors Blaming Snowflake Spread Quickly

On May 31, cybersecurity firm Hudson Rock published a document disclosing how hackers got access to Snowflake’s cloud after a conversation with one of the actors through Telegram. However, it has been taken down on June 3 after Snowflake’s legal team reached out.

“In accordance to a letter we received from Snowflake’s legal counsel, we have decided to take down all the content related to our report,” shared Hudson Rock on Linkedin in an official statement image.

In the publication, now archived, Hudson Rock claimed to have discussed with one of the hackers and shared screenshots of the conversation. The threat actor said they signed “into a Snowflake employee’s ServiceNow account using stolen credentials, thus bypassing OKTA which is located on lift.snowflake.com.”

This way, they generated session tokens and got access to massive amounts of data. The hackers allegedly gathered data from over 400 clients—including companies like Mitsubishi, Allstate, State Farm, Advance Auto Parts, and the ones involved in the recent data breaches.

Hudson Rock’s story quickly spread on social media where multiple accounts shared the information and created new content related.

Snowflake Denies Responsibility

Snowflake, along with cybersecurity firms Maniant and CrowdStrike, shared a statement on its community forum regarding the recent threats and accusations. The cloud company shared findings, and assured that they have not found vulnerabilities directly related to its platform that could have been responsible for the breaches.

“We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel,” states the document. However, they did recognize a threat actor stole credentials for a demo account from a former worker.

“It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems,” they clarified. Snowflake’s theory is that, through a threat campaign, attackers obtained sensitive information from companies with only a single-factor authentication.

The cloud company shared recommendations for organizations including creating a Network Policy Rules, the enforcement of Multi-Factor authentications on all accounts, and rotate and reset Snowflake credentials.

The U.S. government and the Australian government have shared warnings on the cyber threat activities and shared Snowflake’s recommendations.

Users On Social Media Debate

Multiple users engaged with the story have shared different points of view on social media. “So who has the truth Snowflake or threat actor?,” commented one confused user on Linkedin on Hudson Rock’s publication.

“Snowflake I do hope that while you are trying to shush a very trusted source and a fair actor, Hudson Rock, you are also working on integrating their security solutions,” added another.

On X, other concerns were addressed on a user’s popular post: “This is getting a bit out of hand. What if the TicketMaster/LiveNation situation wasn’t even the highest value target yet, just the first one to leak?”

Other accounts on X, like vxunderground, that initially shared Hudson Rock’s publication, appreciated Snowflake’s updates. “We applaud Snowflake for hiring not one but two DFIR consulting firms. That is a pretty penny spent and it appears Snowflake took the rumors and speculation very serious. That is cool and badass,” they wrote in a recent post.