Cybersecurity firm Hudson Rock reports that it has seen evidence of a major cybersecurity incident at cloud storage giant Snowflake.
The incident reportedly impacts all of the vendor's 400 clients, including Ticketmaster and Santander Bank, who recently found themselves at the epicenter of still-unverified data leak news.
Snowflake is a leading cloud-based data warehousing company that enables organizations to efficiently store, analyze, and share vast amounts of data in real time. Snowflake's platform supports multi-cloud environments, allowing seamless integration with major cloud providers such as AWS, Google Cloud, and Azure.
The breach first came to light on May 26th, when the hacker, in a Telegram conversation, claimed to have accessed data from Snowflake, Ticketmaster, and Santander Bank.
The data that has been allegedly stolen, and samples of which were leaked online by a data broker named ‘ShinyHunters,' include the following:
- 30 million Santander Bank account details
- 6 million Santander Bank account numbers and balances
- 28 million Santander Bank credit card numbers
- Santander Bank HR information for staff
- 560 million Ticketmaster customer details, including names, addresses, emails, phone numbers, and credit card data
- Ticketmaster sales, event info, and order details
The stolen data was later put up for sale on the Russian-speaking cybercrime forum, exploit[.]in, where samples were provided to verify its authenticity. Hudson Rock researchers analyzed these samples and confirmed their legitimacy.
Snowflake breach details
Hudson Rock reports that the hacker initially accessed Snowflake through stolen credentials of a ServiceNow account. By bypassing Okta authentication and generating session tokens, the hacker was able to exfiltrate data, potentially affecting up to 400 companies.
The hacker demanded $20 million from Snowflake to buy back their data, providing a CSV file as evidence of their access, which showed over 2,000 customer instances on Snowflake's Europe servers.
The breach traces back to an infection on October 5th, 2023, when a Snowflake employee's credentials were compromised by a Lumma-type infostealer malware.
In response, Snowflake issued a statement earlier today acknowledging the breach and stating they are investigating an industry-wide identity-based attack affecting some of their customers. The full scope of impacted companies remains undetermined, with ongoing investigations and negotiations expected to reveal more details over time.
As of writing this, Snowflake has not admitted that the breach impacted them directly but instead says it was due to customers securing their accounts using credentials that were previously exposed on unrelated data breaches.
Update: Snowflake has provided Cyber Insider with the following statement:
We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.
– Snowflake spokesperson
Hudson Rock has also now removed its original report on the incident.
Additionally, CrowdStrike and Mandiant issued a statement that their preliminary investigation has not shown evidence of a breach at Snowflake.
Kaspersky Releases Free Virus Removal Tool for Linux Systems
Leave a Reply