Ticketmaster breach linked to growing Snowflake attack

7 Jun 2024

Image: © phive2015/Stock.adobe.com

There has been a wave of massive data breaches and Snowflake appears to be the entity linking them all together.

As more information is revealed about the Ticketmaster data breach, it appears that a targeted attack on cloud company Snowflake and its customers is the cause.

Ticketmaster customers got a scare last month when the data of 560m accounts went up for sale on the dark web. Ticketmaster’s parent company LiveNation confirmed the breach in a filing with the US Securities and Exchange Commission, while a spokesperson told TechCrunch that its stolen database was hosted on Snowflake – a cloud storage company.

Since then, multiple breaches are being connected to Snowflake, which has more than 9,800 customers globally. The international bank Santander confirmed that it was the victim of a data breach, after a threat actor gained “unauthorised access to a Santander database hosted by a third-party provider”.

Cybersecurity company HudsonRock claimed it spoke to the threat actor responsible for the Santander breach, according to a blogpost. This blogpost was taken offline due to legal pressure from Snowflake, The Register reports.

The threat actor speaking to HudsonRock claimed that both the Santander and Ticketmaster breaches came from a hack of Snowflake.

This threat actor also claimed that 400 companies are impacted by the Snowflake breach and that the goal was to blackmail the cloud company into buying the data back for $20m.

Snowflake recently confirmed that it is investigating a “targeted threat campaign against some Snowflake customer accounts” and claims the campaign is targeting users with single-factor authentication.

The company said threat actors “leveraged credentials” purchased or obtained through info stealing malware. Snowflake also found evidence that a threat actor obtained personal credentials of “demo accounts” belonging to a former snowflake employee, but that “it did not contain sensitive data”.

“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration or breach of Snowflake’s platform,” the company said in a statement.

Earlier this week, another threat actor shared a post on the dark web selling 3tb of data stolen from Advance Auto Parts. The threat actor claimed that this data includes the personal data of 380m customer profiles.

BleepingComputer claims it confirmed the legitimacy of “a large number” of the Advance Auto Parts customer records. The threat actor selling this data told BleepingComputer that the breach stemmed from recent attacks targeting Snowflake customers.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com