Cloud storage provider Snowflake said that accounts belonging to multiple customers have been hacked after threat actors obtained credentials through info-stealing malware or by purchasing them on online crime forums.
Ticketmaster parent Live Nation—which disclosed Friday that hackers gained access to data it stored through an unnamed third-party provider—told TechCrunch the provider was Snowflake. The live-event ticket broker said it identified the hack on May 20, and a week later, a “criminal threat actor offered what it alleged to be Company user data for sale via the dark web.”
Ticketmaster is one of six Snowflake customers to be hit in the hacking campaign, said independent security researcher Kevin Beaumont, citing conversations with people inside the affected companies. Australia’s Signal Directorate said Saturday it knew of “successful compromises of several companies utilizing Snowflake environments.” Researchers with security firm Hudson Rock said in a now-deleted post that Santander, Spain’s biggest bank, was also hacked in the campaign. The researchers cited online text conversations with the threat actor. Last month, Santander disclosed a data breach affecting customers in Chile, Spain, and Uruguay.
“The tl;dr of the Snowflake thing is mass scraping has been happening, but nobody noticed, and they’re pointing at customers for having poor credentials,” Beaumont wrote on Mastodon. “It appears a lot of data has gone walkies from a bunch of orgs.”
Word of the hacks came weeks after a hacking group calling itself ShinyHunters took credit for breaching Santander and Ticketmaster and posted data purportedly belonging to both as evidence. The group took to a Breach forum to seek $2 million for the Santander data, which it said included 30 million customer records, 6 million account numbers, and 28 million credit card numbers. It sought $500,000 for the Ticketmaster data, which the group claimed included full names, addresses, phone numbers, and partial credit card numbers for 560 million customers.
Beaumont didn’t name the group behind the attacks against Snowflake customers but described it as “a teen crimeware group who’ve been active publicly on Telegram for a while and regularly relies on infostealer malware to obtain sensitive credentials.
The group has been responsible for hacks on dozens of organizations, with a small number of them including:
- Online dating app Zoosk (30 million user records)
- Printing service Chatbooks (15 million user records)
- South Korean fashion platform SocialShare (6 million user records)
- Food delivery service Home Chef (8 million user records)
- Online marketplace Minted (5 million user records)
- Online newspaper Chronicle of Higher Education
- South Korean furniture magazine GGuMim (2 million user records)
- Health magazine Mindful (2 million user records)
- Indonesia online store Bhinneka (1.2 million user records)
- US newspaper, the Minneapolis StarTribune (1 million user records)
- AT&T
- A Microsoft GitHub account.
According to Snowflake, the threat actor used already compromised account credentials in the campaign against its customers. Those accounts weren’t protected by multifactor authentication (MFA).
Snowflake also said that the threat actor used compromised credentials to a former employee account that wasn’t protected by MFA. That account, the company said, was created for demonstration purposes.
“It did not contain sensitive data,” Snowflake’s notification stated. “Demo accounts are not connected to Snowflake’s production or corporate systems.”
The company urges all customers to ensure all their accounts are protected with MFA. The statement added that customers should also check their accounts for signs of compromise using these indicators.
“Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted,” the company said in the post.
Snowflake and the two security firms it has retained to investigate the incident—Mandiant and Crowdstrike—said they have yet to find any evidence the breaches are a result of a “vulnerability, misconfiguration, or breach of Snowflake’s platform.” But Beaumont said the cloud provider shares some of the responsibility for the breaches because setting up MFA on Snowflake is too cumbersome. He cited the breach of the former employee’s demo account as support.
“They need to, at an engineering and secure by design level, go back and review how authentication works—as it’s pretty transparent that given the number of victims and scale of the breach that the status quo hasn’t worked,” Beaumont wrote. “Secure authentication should not be optional. And they’ve got to be completely transparent about steps they are taking off the back of this incident to strengthen things.”
Source: Ticketmaster hacked in what’s believed to be a spree hitting Snowflake customers | Ars Technica
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft