Snowflake acknowledges that one of its former employees had their account compromised. However, the third-party cloud data storage software company refutes any connection between this breach and the recent ‘ShinyHunters’ attacks on Ticketmaster and Santander Bank customers. Ticketmaster has already confirmed its own security breach.
Snowflake has refuted any involvement in the recent cyberattacks on Ticketmaster and Santander Bank, which resulted in the exposure of sensitive data belonging to over 500 million customers. However, Snowflake did acknowledge discovering evidence that the threat actor responsible for the data breaches managed to obtain personal credentials and gain access to a demo account belonging to one of its former employees.
“Threat Actor Obtained Personal Credentials”
Snowflake CISO Brad Jones states:
- We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.
- We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel.
- This appears to be a targeted campaign directed at users with single-factor authentication.
- As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware; and
- We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems.
Snowflake urges organizations to implement multi-factor authentication for all accounts, establish network policy regulations to permit only authorized users and traffic from trusted locations, and advises impacted organizations to reset and rotate Snowflake credentials.
Third-Party Cloud Data Breach
Ticketmaster and Santander Bank have both attributed the breaches to a third-party cloud data breach but have not disclosed the specific vendor involved. Ticketmaster’s parent company, LiveNation, is currently facing a class-action lawsuit due to the Ticketmaster breach. LiveNation has acknowledged the breach in a filing with the US Securities and Exchange Commission, stating that they are taking steps to minimize risk for their users and the company. They have also informed and are cooperating with law enforcement authorities. Furthermore, the Australian Signals Directorate (ASD), a division of the Australian Government, has issued a direct alert to Snowflake customers. The ASD’s Australian Cyber Security Center has become aware of successful breaches in multiple companies that utilize Snowflake environments.
“Cloud vendors have long promoted the notion that cloud computing is more secure than traditional on-premises solutions,” said Tim Royston-Webb, CEO, SentryBay. “Nevertheless, these vendors still bear the responsibility of keeping their customers informed about the status of their security configurations, third-party applications, and maintaining effective behavioral detection systems.”
