Major breaches allegedly caused by unsecured Snowflake accounts

Significant data breaches at Ticketmaster and Santander appear to have been orchestrated through careful targeting of the victims’ Snowflake cloud data management accounts

Alex Scroxton,
Security Editor

Published: 03 Jun 2024 16:45

Significant data breaches at online ticketing platform Ticketmaster and consumer bank Santander appear to be linked to the abuse of unsecured accounts held with cloud data management platform Snowflake, it has emerged over the past few days.

The Ticketmaster breach – confirmed on Friday 31 May by parent organisation Live Nation – saw the personal details of over 550 million customers stolen, including names, addresses, phone numbers and some credit card details.

The ongoing incident at Santander has seen the data of customers in Spain and Latin America stolen, as well as personal information on some previous and all current employees of the bank, numbering 200,000 people worldwide and about 20,000 in the UK.

Both incidents have been claimed by a group known as ShinyHunters – which also operated the BreachForums site that was recently taken down by police but appears to still be operating with impunity. The cyber criminals are demanding a half-a-million dollar ransom from Ticketmaster and two million dollars from Santander.

Although Snowflake was not explicitly named by either organisation, the firm confirmed it was investigating a “targeted threat campaign” against customer accounts, with assistance from CrowdStrike and Mandiant.

In a statement, Snowflake said: “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake’s platform. We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel.

“This appears to be a targeted campaign directed at users with single-factor authentication. As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware.”

Personal credentials

It additionally confirmed it had found some evidence that a threat actor had obtained personal credentials and accessed demo accounts belonging to a former Snowflake employee, which were not protected by its Okta or multi-factor authentication (MFA) services, but that these accounts were not connected to its production or corporate systems and did not contain any sensitive information.

Snowflake is recommending its customers immediately implement MFA, establish network policy rules to only allow authorised users or traffic from trusted locations, and reset and rotate their credentials. More information, including indicators of compromise, is available here.

Disputed claims

Based on Snowflake’s testimony, the issues would appear to have been caused by cyber security failings at its customers. However, its version of events is very much at odds with other information that has been coming to light over the past few days, much of it contained in a since-deleted blog – which is archived in its entirety here – posted by researchers at Hudson Rock.

Based on a conversation with someone claiming to be a ShinyHunters insider, Hudson Rock said its researchers were told that contrary to Snowflake’s version, the attackers had actually accessed a Snowflake employee’s ServiceNow account using stolen credentials, bypassing Okta protections and generating session tokens that enabled them to steal its customers’ data directly from Snowflake’s systems.

The threat actor shared information suggesting that at least 400 customers had been compromised through its access, and appeared to suggest they had been looking for a payoff from Snowflake rather than its customers – although it’s important to remember it’s never wise to trust the word of a cyber criminal or take their claims at face value.

Identity the vector

Although not a classic example of a supply chain attack – per Snowflake’s reading of events – the incidents at Ticketmaster and Santander hold much in common with other supply chain attacks, including the use of identity compromises as an access vector.

“This year, we have seen a sequence of breaches that have affected major software-as-a-service [SaaS] vendors, such as Microsoft, Okta, and now Snowflake,” said Glenn Chisholm, co-founder and chief product officer of Obsidian Security.

“The commonality across these breaches is identity; the attackers are not breaking in, they are logging in,” he said. “In incident response engagements we have seen through partners like CrowdStrike, we see SaaS breaches often starting with identity compromises – in fact, 82% of SaaS breaches stem from identity compromises such as spear phishing, token theft and reuse, helpdesk social engineering, etcetera. This includes user identities as well as non-human (application) identities.”

The lessons for users are clear, said Chisholm. SaaS is a highly targeted space with multiple attacks occurring across the spectrum, from nation state attackers to financially motivated hackers such as ShinyHunters. As such, every company using SaaS products needs to implement a SaaS security programme, or review their existing ones.

“Ensure the correct application posture to minimise risk, protect their identities which form the perimeter of your SaaS applications, and secure their data movement,” said Chisholm. “These must be a continuous programme since your applications evolve, configurations change, identities get introduced and attackers change their patterns. In other words, you need automation to scale this across all your SaaS applications.”

Toby Lewis, head of threat analysis at Darktrace, said that even if no Snowflake systems were directly compromised, the supplier could still have done more to prevent the attacks on its customers.

“Cloud providers should encourage better security practices, such as mandatory MFA, even without explicit requirements on them to do so under the shared responsibility model,” said Lewis.

“In essence, it becomes a differentiator when weighing up different cloud providers – pick the one that has secure-by-default practices to enhance overall security.”

Read more on Data breach incident management and recovery

Snowflake: No evidence of platform breach