Snowflake denies breach, blames data theft on poorly secured customer accounts
Snowflake is disputing claims made by a threat actor who stole data belonging to Santander and Ticketmaster, and maintains that the theft of customer data was the result of stolen customer login credentials.
“We are aware of recent reports related to a potential compromise of the Snowflake production environment,” cloud company Snowflake said in an update of Friday’s warning about identity-based attacks targeting its customers.
“We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product.”
Clearing things up
On Friday, the company confirmed that some customers accounts have been accessed by attackers who used previously compromised credentials. They notified the affected customers, shared indicators of compromise and offered recommendations to assist them in securing their accounts.
Mitiga researchers’ post on how Snowflake customers can perform threat hunting has provided more details about the attacks: the attackers breached accounts that did not have 2-factor authentication switched on, grabbed the cloud-stored data and used it to extort the affected organizations.
Hudson Rock researchers also published a report repeating the threat actor’s claims that they breached Snowflake’s infrastructure by stealing a Snowflake employee’s login credentials. The blog post has since been deleted, but an archived version can be found here. (We’ve asked Hudson Rock why they removed it, and we’ll update this article when/if we receive a response.)
Snowflake CISO Brad Jones rejected the threat actor’s general claims and refuted some particular ones:
“We did find evidence that similar to impacted customer accounts, the threat actor obtained personal credentials to and accessed a demo account owned by a former Snowflake employee,” he said, but claimed that the account did not contain sensitive data nor is it connected to Snowflake’s production or corporate systems.
“The access was possible because the demo account was not behind Okta or MFA, unlike Snowflake’s corporate and production systems,” he noted, and added that “there is no ‘master Application Programming Interface (API)’ or pathway for customers’ credentials to be accessed and exfiltrated from the Snowflake production environment.”
Theft of Santander and Ticketmaster data confirmed
The threat actor also claimed that by breaching Snowflake’s servers, they were able to grab data belonging to Santander Bank and Ticketmaster.
Santander previously confirmed that attackers have accessed one of its databased hosted by a third-party provider, but did not name Snowflake.
Live Nation Entertainment – the parent company of Ticketmaster – reported to the Securities and Exchange Commission that they “identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.”
A Ticketmaster spokesperson subsequently told TechCrunch that the database was hosted on Snowflake.
Security researcher Kevin Beaumont says that six major organizations are “running Snowflake cyber incidents”.
UPDATE (June 2, 2024, 01:10 p.m. ET):
Snowflake has engaged Crowdstrike and Mandiant to assist in cyber incident response.
The three firms have issue a joint statement on the preliminary findings in the investigation, and say that they have not identified evidence suggesting the incident was caused by a vulnerability, misconfiguration, breach of Snowflake’s platform, or compromised credentials of current or former Snowflake personnel.
They repeated that there is evidence that the threat actor obtained personal credentials to and accessed demo accounts of a former Snowflake employee, but that the accounts are not connected to the company’s production or corporate systems.
“Throughout the course of the investigation, Snowflake has promptly informed the limited number of Snowflake customers who it believes may have been affected. Mandiant has also engaged in outreach to potentially affected organizations,” they added.
UPDATE (June 5, 2024, 08:25 p.m. ET):
Hudson Rock has stated that they’ve taken their blog post down in accordance to a letter they received from Snowflake’s legal counsel.
DataBreaches talked to ShinyHunters, the group that claims to be behind the Santander and Ticketmaster breaches, and they said that the information and evidence given by the (partner) threat actor to Hudson Rock were mostly fake. (Though, of course, we also can’t be sure that ShinyHunters is telling the truth.)