UPDATE 3: Two other cybersecurity vendors, Crowdstrike and Mandiant, also say they've uncovered no evidence indicating that Snowflake was breached. "This appears to be a targeted campaign directed at [Snowflake] users with single-factor authentication," Crowdstrike and Mandiant said through a statement posted on Snowflake's website.
UPDATE 2: Hudson Rock has taken down its post alleging that Snowflake suffered a massive breach. On Monday, the cybersecurity vendor said it did so, citing a letter it received from Snowflake's legal counsel. Meanwhile, Snowflake says Hudson Rock's research was "inaccurate."
UPDATE 1: Live Nation Entertainment has confirmed that subsidiary Ticketmaster suffered a breach, but provided little details, including how many users were affected. In a Securities and Exchange Commission (SEC) filing, Live Nation says it detected "unauthorized activity within a third-party cloud database environment containing company data" on March 20. In response, the company has launched an investigation with "industry-leading forensic investigators" and is preparing to notify affected customers.
Original story:
Evidence is emerging that hackers have been targeting a cloud storage platform called Snowflake to steal data from customers—which may include Ticketmaster.
Snowflake, which supplies cloud analysis solutions to numerous big brands, confirmed on Friday that it’s “investigating an increase in cyber threat activity targeting some of our customers’ accounts.” That statement came after cybersecurity vendor Hudson Rock claimed Snowflake suffered a “massive breach” impacting as many as 400 companies.
Hudson Rock learned of the incident after speaking with a hacker who claimed to have stolen data from Ticketmaster and Santander Bank. “The threat actor adds that all of these breaches stem from the hack of a single vendor — Snowflake,” the cybersecurity vendor says.
The hacker claims to have breached Snowflake by stealing login credentials from a company employee’s ServiceNow account, which appears to have been integrated into Snowflake’s internal IT environment. Signing into this account allowed the hacker to bypass security protections from Snowflake’s single sign-on provider Okta.
“Following the infiltration, the threat actor claims that they were able to generate session tokens, which enabled them to exfiltrate massive amounts of data from the company,” Hudson Rock added. The hacker then tried to extort $20 million from Snowflake but received no response from the Montana-based company.
(Credit: Hudson Rock)Hudson Rock also says it received logs from the hacker, which indicate a Snowflake employee’s computer was infected with an infostealer malware in October. This likely paved the way for the hacker to loot the login credentials necessary to breach the cloud storage provider.
However, Snowflake is denying major aspects of Hudson Rock’s report. Instead, the company is indicating the hacking activities involved cybercriminals exploiting customer login credentials “exposed through unrelated cyber threat activity,” rather than a direct breach of its own systems.
In response, Snowflake has notified a “limited number of customers” who may have been affected. But the company is pushing back against the allegation that a hacker infiltrated an internal production environment at Snowflake. The company says it's only uncovered evidence showing that a hacker stole the login credentials and accessed a “demo account” belonging to a former Snowflake employee.
“It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems,” Snowflake added. “The access was possible because the demo account was not behind Okta or MFA, unlike Snowflake’s corporate and production systems.”
The company went on to deny that Snowflake possesses an API or pathway for customers’ logins to be accessed and stolen from its production environment.
“We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product,” the company added. “Snowflake does not believe that it was the source of any of the leaked customer credentials.”
In the meantime, a separate cybersecurity vendor called Mitiga also observed a hacker “using stolen customer credentials to target organizations utilizing Snowflake databases.” To do so, the hacker used an attack tool known as a “rapeflake” to target Snowflake accounts not protected with two-factor authentication.
Security expert Kevin Beaumont says the activity amounts to scraping data from Snowflake, which offers customers free trials.
Snowflake declined to comment if Ticketmaster is a customer. The news arrives days after a hacker in Russian cybercriminal forum Exploit claimed to have stolen data from 560 million Ticketmaster users. Another hacker called ShinyHunters then repeated the claim this week in BreachForums. So far, Ticketmaster has refused to comment on the breach claims.