Snowflake is disputing claims made by a threat actor who stole data belonging to Santander and Ticketmaster, and maintains that the theft of customer data was the result of stolen customer login credentials.
“We are aware of recent reports related to a potential compromise of the Snowflake production environment,” cloud company Snowflake said in an update of Friday’s warning about identity-based attacks targeting its customers.
“We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product.”
Clearing things up
On Friday, the company confirmed that some customers accounts have been accessed by attackers who used previously compromised credentials. They notified the affected customers, shared indicators of compromise and offered recommendations to assist them in securing their accounts.
Mitiga researchers’ post on how Snowflake customers can perform threat hunting has provided more details about the attacks: the attackers breached accounts that did not have 2-factor authentication switched on, grabbed the cloud-stored data and used it to extort the affected organizations.
Hudson Rock researchers also published a report repeating the threat actor’s claims that they breached Snowflake’s infrastructure by stealing a Snowflake employee’s login credentials. The blog post has since been deleted, but an archived version can be found here. (We’ve asked Hudson Rock why they removed it, and we’ll update this article when/if we receive a response.)
Snowflake CISO Brad Jones rejected the threat actor’s general claims and refuted some particular ones:
“We did find evidence that similar to impacted customer accounts, the threat actor obtained personal credentials to and accessed a demo account owned by a former Snowflake employee,” he said, but claimed that the account did not contain sensitive data nor is it connected to Snowflake’s production or corporate systems.
“The access was possible because the demo account was not behind Okta or MFA, unlike Snowflake’s corporate and production systems,” he noted, and added that “there is no ‘master Application Programming Interface (API)’ or pathway for customers’ credentials to be accessed and exfiltrated from the Snowflake production environment.”
Theft of Santander and Ticketmaster data confirmed
The threat actor also claimed that by breaching Snowflake’s servers, they were able to grab data belonging to Santander Bank and Ticketmaster.
Santander previously confirmed that attackers have accessed one of its databased hosted by a third-party provider, but did not name Snowflake.
Live Nation Entertainment – the parent company of Ticketmaster – reported to the Securities and Exchange Commission that they “identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.”
A Ticketmaster spokesperson subsequently told TechCrunch that the database was hosted on Snowflake.
Security researcher Kevin Beaumont says that six major organizations are “running Snowflake cyber incidents”.