Ticketmaster Data Breach May Be Tip of the Iceberg as ShinyHunters Claims Compromise of Snowflake Storage

by | Jun 7, 2024

Snowflake is a company that those outside of large enterprises have likely never heard of, but it provides cloud storage solutions to some of the world’s biggest companies. The potential for another incident on a scale comparable to last summer’s MOVEit hack is rising as ShinyHunters has claimed Snowflake is the source of the recent Ticketmaster data breach, among numerous others that have not even been disclosed yet.

Snowflake has confirmed that some of its customers have been attacked, and that an account belonging to a former employee was compromised by a threat actor, but it has yet to confirm or deny that the Ticketmaster data breach is legitimate or that any of its other clients are impacted. Indirect evidence for this scenario is mounting, however, with warnings issued both by Australia’s federal cybersecurity department and security firm Mandiant.

Details of Ticketmaster data breach still unclear as more questions are raised

Snowflake still claims that the breach(es) they’ve acknowledged have nothing to do with the contents of the Ticketmaster data breach, but a lot of circumstantial evidence is indicating otherwise. A seemingly damning post from Israeli cybersecurity firm Hudson Rock emerged on Friday, but was taken down over the weekend for reasons unknown. That keeps some question marks hovering over the situation, but at this point it is best for Snowflake customers to assume that there was a serious upstream compromise.

Prior to the Hudson Rock blog post, there was word from some security researchers of a third party vendor compromise being the source of the Ticketmaster data breach. And ShinyHunters was known to be the guilty party, as they openly offered the stolen data for sale on BreachForums. The tell-all to Hudson Rock seemed to confirm the third party theory and out Snowflake as the victim, along with an indication that more major companies have been breached that have not hit the news yet.

Support for this scenario comes from Mandiant, which has said that it has been assisting Snowflake customers with a data breach for weeks. And the Australian Cyber Security Centre (ACSC) also issued a warning directly to Snowflake customers about increased threat activity, advising them to take security precautions of the sort that are in keeping with a known breach.

In addition to the Ticketmaster data breach, ShinyHunters has offered stolen data from Spanish financial giant Satander for sale. Satander has confirmed that breach is legitimate, and one that contains sensitive financial data for a large amount of its customers in Chile, Spain and Uruguay. And while Snowflake will not cop to full responsibility, the company has issued security advice to its customers that mirrors the warning issued by the ACSC.

Snowflake breach may have originated in October 2023

If the Hudson Rock post turns out to be fully accurate, the origin of the Ticketmaster data breach (and all other incidents involving Snowflake customers) may have taken place all the way back in October 2023. That is when ShinyHunters claims to have stolen a Snowflake employee’s login by somehow tricking them into installing Infostealer malware. That gave them access to a ServiceNow account, from which the hackers were apparently able to generate session tokens for hundreds, if not thousands of the company’s 9,400 customers.

That list of customers includes some very prominent names. ShinyHunters named some of those it claims to have breached, but who have yet to show any public indications of compromise; these include Advance Auto Parts, Allstate, Anheuser-Busch, Progressive, Neiman Marcus and Mitsubishi.

Another summer event comparable to the MOVEit breach of last year is thus possible, though key details remain unconfirmed. At the moment, Snowflake customers should assume a serious compromise and make security adjustments accordingly.

Recent Posts

How can we help?

12 + 9 =

× How can I help you?