Snowflake Account Hacks Linked to Santander, Ticketmaster Breaches
A threat actor claiming recent breaches at Santander and Ticketmaster has alleged that they were able to steal data by hacking into an employee’s account at cloud storage giant Snowflake. However, Snowflake has refuted these claims, asserting that the breaches were due to poorly secured customer accounts.
Snowflake, a cloud data platform utilized by 9,437 customers globally, including major corporations like Adobe, AT&T, Capital One, HP, and more, has come under scrutiny following the breach claims. According to cybersecurity firm Hudson Rock, the threat actor also purportedly accessed data from other high-profile companies using Snowflake’s services, such as Anheuser-Busch, State Farm, and Allstate.
The threat actor allegedly bypassed Okta’s authentication process by infiltrating a Snowflake employee’s ServiceNow account with stolen credentials. This allowed them to generate session tokens and access data from Snowflake customers, impacting potentially over 400 companies, as per Hudson Rock’s findings.
In an attempt to extort Snowflake, the threat actor demanded $20 million in exchange for the stolen data, a demand that went unanswered by the company. Snowflake has confirmed a breach of a company employee by a Lumma-type Infostealer in October, which led to the compromise of corporate credentials and access to Snowflake infrastructure.
Snowflake, Santander, and Ticketmaster have been contacted for comment on the situation, with Snowflake confirming an increase in attacks targeting customer accounts. Snowflake’s CISO, Brad Jones, emphasized that the attacks were not a result of any product vulnerabilities, urging customers to enhance security measures by enabling multi-factor authentication.
As the investigation into the breaches continues, Snowflake has issued a security bulletin with guidelines for potentially impacted customers to secure their accounts. The company has identified Indicators of Compromise (IoCs), including the use of a custom exfiltration tool called ‘RapeFlake’ and connections to databases via the DBeaver Ultimate data management tool.
If you have any information related to these incidents or other breaches involving Snowflake, you can reach out confidentially via Signal at 646-961-3731 or tips@bleepingcomputer.com. Stay tuned for further updates as the situation unfolds.