Snowflake Denies Responsibility for Ticketmaster, Santander Breaches

Snowflake admits an ex-employee account was compromised, but the third-party cloud data storage software company denies the hack is linked to a pair of high-profile ‘ShinyHunters’ attacks on Ticketmaster and Santander Bank customers. Ticketmaster has confirmed its breach.

Shane Snider , Senior Writer, InformationWeek

June 3, 2024

3 Min Read
Snowflake company logo displayed on smartphone
GK Images via Alamy Stock Photo

Snowflake over the weekend denied responsibility for recent attacks on Ticketmaster and Santander Bank that exposed more than half a billion customers’ sensitive data, while admitting that it found evidence that “similar to impacted customer accounts, the threat actor obtained personal credentials to and accessed a demo account owned by a former Snowflake employee.”

“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s Platform,” Snowflake CISO Brad Jones wrote in a late Friday blog post. Jones said the former employee’s account “did not contain sensitive data” and was “not connected to Snowflake’s production or corporate systems.”

Snowflake recommends organizations enforce multi-factor authentication on all accounts, set up network policy rules to allow only authorized users and traffic from trusted locations, and that impacted organizations should reset and rotate Snowflake credentials.

Both Ticketmaster’s parent Live Nation and Santander Bank said the breaches were the result of a third-party cloud data breach, without specifying the vendor. In a report published Friday, research firm Hudson Rock claimed it communicated with ShinyHunters and that the threat actor had told the firm that “all of these breaches stem from the hack of a single vendor -- Snowflake.”

Related:Snowflake’s Lack of MFA Control Leaves Companies Vulnerable, Experts Say

The group was then able to “sign into a Snowflake employee’s ServiceNow account using stolen credentials, thus bypassing Okta [multi-factor authentication],” Hudson Rock claims.

Additionally, the Australian Government’s Australian Signals Directorate (ASD) issued an alert directly to Snowflake customers. “The ASD’s [Australian Cyber Security Center] is aware of successful compromises of several companies utilizing Snowflake environments.”

Live Nation, which is the subject of a class-action lawsuit over the Ticketmaster breach, in a Friday filing with the US Securities and Exchange Commission confirmed the breach, saying, “we are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement.”

According to Hudson Rock, ShinyHunters claims to have breached other firms as well, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate Advanced Auto Parts, and many more.

Who’s to Blame? A Question of Shared Responsibility

Brian Soby, CTO and co-founder of SaaS security firm AppOmni, says he’s not surprised Snowflake is taking a defensive posture and putting responsibility on the customer.

Related:‘ShinyHunters’ Group Claims Massive Ticketmaster Breach

“The vendor can’t make it sound like their product could potentially cause an issue,” Soby says. However, cloud vendors have for years sold the idea that cloud is more secure than on-premises solutions. “We’ve sold that so hard that customers forgot that they still have responsibility. They still need to know what’s going on with their security configurations, they still need to know their third-party apps, and they still need to monitor and have good behavioral detections.”

Soby says the source of the breach likely extends beyond the single instance of the former Snowflake employee’s credentials being used. “You look at Ticketmaster with a 560-million customer breach, and it's like, all right, that doesn’t really sound like a demo instance -- to me, that’s a stretch.”

InformationWeek has reached out to Snowflake for comments and will update with any response.

About the Author(s)

Shane Snider

Senior Writer, InformationWeek, InformationWeek

Shane Snider is a veteran journalist with more than 20 years of industry experience. He started his career as a general assignment reporter and has covered government, business, education, technology and much more. He was a reporter for the Triangle Business Journal, Raleigh News and Observer and most recently a tech reporter for CRN. He was also a top wedding photographer for many years, traveling across the country and around the world. He lives in Raleigh with his wife and two children.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights