Snowflake: ‘No Evidence’ Linking Ticketmaster Breach To Its Products, But Signs Of Former Employee Account Accessed

“We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product,” according to the vendor.

Snowflake has responded to reports that Ticketmaster and Santander Bank were breached through the data cloud vendor, saying in a Friday blog post, “We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product.”

The Bozeman, Mont.-based vendor said, however, that it “did find evidence that similar to impacted customer accounts, the threat actor obtained personal credentials to and accessed a demo account owned by a former Snowflake employee.”

The account “did not contain sensitive data” and was “not connected to Snowflake’s production or corporate systems,” according to the post. “The access was possible because the demo account was not behind Okta or MFA, unlike Snowflake’s corporate and production systems.”

Snowflake Responds To Breach Reports

Snowflake is a member of CRN’s 2024 Channel Chiefs.

Reports of Snowflake’s potential tie to a breach comes days before the vendor’s annual Data Cloud Summit, which runs Monday through Thursday in San Francisco.

A Snowflake spokesperson referred CRN to the vendor’s blog post about the reports when asked for comment.

In the blog post, authored by Snowflake Chief Information Security Officer Brad Jones, the CISO addresses “some errant claims” made about “a potential compromise of the Snowflake production environment.” The company denied having a master application programming interface (API) “or pathway for customers’ credentials to be accessed and exfiltrated from the Snowflake production environment.”

“Snowflake does not believe that it was the source of any of the leaked customer credentials,” according to the post. “Snowflake is a cloud product and anyone can sign up for an account at any time. If a threat actor obtains customer credentials, they may be able to access the account. Snowflake employees are no different and can also create their own Snowflake ‘customer’ accounts using personal credentials.”

The vendor believes that “an increase in cyber threat activity targeting some of our customers’ accounts” is actually “the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data.”

“Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity,” according to the vendor.

Snowflake first “became aware of potentially unauthorized access to certain customer accounts on May 23,” according to the post. The vendor “observed increased threat activity beginning mid-April” during its investigation, with that activity coming “from a subset of IP addresses and suspicious clients we believe are related to unauthorized access.”

Snowflake has shared indicators of compromise (IoCs), investigative queries and hardening recommendations on its website.

Accusations From Research Firm

Accusations that Ticketmaster and Santander Bank were hacked through a breach of Snowflake came from at least one research firm, Israel-based Hudson Rock.

CRN has reached out to Hudson Rock for comment.

In a report published Friday, the research firm said it has communicated with a threat actor claiming to have hacked Ticketmaster and Santander and that the actor put data from the companies up for sale on a Russian-speaking cybercrime forum.

The threat actor told Hudson Rock that “all of these breaches stem from the hack of a single vendor — Snowflake,” with the actor allegedly “able to sign into a Snowflake employee’s ServiceNow account using stolen credentials, thus bypassing OKTA” and compromising around 400 companies, according to Hudson Rock.

Ticketmaster parent company Live Nation confirmed in a Friday filing with the U.S. Securities and Exchange Commission (SEC) that on May 20, it “identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.”

On Monday, “a criminal threat actor offered what it alleged to be Company user data for sale via the dark web,” according to the SEC filing. “We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.”

At the time of the filing, “the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations,” according to Live Nation. “We continue to evaluate the risks and our remediation efforts are ongoing.”

Santander Bank published an online statement on May 14 acknowledging “unauthorized access to a Santander database hosted by a third-party provider.”

“Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed,” according to the post. “Customer data in all other Santander markets and businesses are not affected.”

The post continued: “We apologise for the concern this will understandably cause and are proactively contacting affected customers and employees directly. We have also notified regulators and law enforcement and will continue to work closely with them.”

ShinyHunters is the hacker group believed to be behind the Ticketmaster and Santander Bank breach, according to multiple media reports. In 2021, the group was connected to a breach of Astoria Co.

CRN has reached out to Live Nation, Ticketmaster and Santander for comment.