Infosec analysts at Hudson Rock believe Snowflake was compromised by miscreants who used that intrusion to steal data on hundreds of millions of people from Ticketmaster, Santander, and potentially other customers of the cloud storage provider. Snowflake denies its security was defeated.

This week one or more crooks going by the handle ShinyHunters was spotted putting what's understood to be 1.3TB of data stolen from Ticketmaster up for sale on an underworld forum. That trove, yours for $500,000, is said to contain records on 560 million Ticketmaster customers: Their names, email addresses, phone numbers, physical addresses, transaction details, and partial payment card information.

ShinyHunters is also advertising, for $2 million, information said to be stolen from the international bank Santander. That data dump is said to comprise the details of 30 million account holders, 28 million card numbers, internal HR files, and other records.

Earlier this month, Santander confirmed it had been compromised, and said the security breach affected customers of Santander Chile, Spain, and Uruguay, plus all of its current and some former workers. Santander employs about 200,000 people globally.

"We recently became aware of an unauthorized access to a Santander database hosted by a third-party provider," the bank said in a statement. "We apologise for the concern this will understandably cause and are proactively contacting affected customers and employees directly. We have also notified regulators and law enforcement and will continue to work closely with them."

'Largest to date'

Today, Hudson Rock claimed all that info from Ticketmaster and Santander, and potentially hundreds of other organizations, was stolen from one vendor in particular: Snowflake. Hudson Rock said it came to this conclusion after speaking to crooks claiming responsibility for the cyber-heist.

Snowflake provides cloud data storage services to many of the largest enterprises in the world. This alleged intrusion and exfiltration of data from Snowflake, which Hudson characterizes as "one of the largest data breaches to date," is said to have involved the use of a Snowflake employee's login details obtained in October using info-stealing malware some believe was Lumma.

These credentials were supposedly used to sign into the employee's ServiceNow account, apparently side-stepping Snowflake's Okta-based access management system. Once inside, it's claimed, the criminals were able to generate session tokens that were used to exfiltrate large quantities of customer data from Snowflake's systems, with the apparent goal of holding it for a claimed $20 million ransom. It doesn't appear the money was ever paid, if Snowflake was indeed compromised.

Communications between Hudson and the alleged thieves indicate that as many as 400 Snowflake customers may have been swept up in the security breach.

We do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product

However, in a statement on Friday, Snowflake denied many of the assertions made in the Hudson disclosure. According to the cloud storage house, if anything was taken from its servers, it was done via its customers' individual cloud accounts, using their login info stolen by some other means, and not via some hole, weakness, or blunder at Snowflake's end.

"Snowflake recently observed and is investigating an increase in cyber threat activity targeting some of our customers' accounts. We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data," the biz said.

"Research indicates that these types of attacks were performed using our customers' user credentials that were exposed through unrelated cyber threat activity."

"To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product," it said, adding it has contacted a small number of customers whose accounts showed suspicious activity.

"Snowflake is a cloud product and anyone can sign up for an account at any time. If a threat actor obtains customer credentials, they may be able to access the account."

Furthermore, the biz said: "Snowflake does not believe that it was the source of any of the leaked customer credentials."

Snowflake - which is holding its own Data Summit conference next week - did acknowledge it had uncovered evidence that a miscreant had obtained access to a former employee's demo account, but claimed that account did not contain any sensitive data, as it wasn't connected to the company's production or corporate systems.

Access to the account was only possible because it wasn't secured by Okta or multi-factor authentication, unlike its other systems, Snowflake added.

Snowflake's argument, it seems, is that the compromised demo account couldn't have been used to raid Ticketmaster et al. We've asked Hudson Rock for its take on Snowflake's response. ®

https://www.theregister.com//2024/05/31/snowflake_breach_report/