One of the biggest hacks of the year may have started to unfold. Late on Friday, embattled events business Live Nation, which owns Ticketmaster, confirmed it suffered a data breach after criminal hackers claimed to be selling half a billion customer records online. Banking firm Santander also confirmed it had suffered a data breach impacting millions of customers and staff after its data was advertised by the same group of hackers.
While the specific circumstances of the breaches—including exactly what information was stolen and how it was accessed—remain unclear, the incidents may be linked to attacks against company accounts with cloud hosting provider Snowflake. The US-based cloud firm has thousands of customers, including Adobe, Canva, and Mastercard, which can store and analyze vast amounts of data in its systems.
Security experts say that as more details become clear about hackers’ attempts to access and take data from Snowflake’s systems, it is possible that other companies will reveal they had data stolen. At present, though, the developing situation is messy and complicated.
“Snowflake recently observed and is investigating an increase in cyber threat activity targeting some of our customers’ accounts,” Brad Jones, Snowflake’s chief information security officer wrote in a blog post acknowledging the cybersecurity incident on Friday. Snowflake has found a “limited number” of customer accounts that have been targeted by hackers who obtained their login credentials to the company’s systems, Jones wrote. Snowflake also found one former staff member’s “demo” account that had been accessed.
However, Snowflake doesn’t “believe” it was the source of any leaked customer credentials, the post says. “We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product,” Jones writes in the blog post.
While the number of Snowflake accounts accessed and what data may have been taken have not been released, government officials are warning about the impact of the attack. Australia’s Cyber Security Center issued a “high” alert on Saturday saying it is “aware of successful compromises of several companies utilizing Snowflake environments” and companies using Snowflake should reset their account credentials, turn on multi-factor authentication, and review user activity.
“It looks like Snowflake has had some rather egregiously bad security compromise,” security researcher Troy Hunt, who runs data breach notification website Have I Been Pwned, tells WIRED. “It being a provider to many other different parties, it has sortali bubbled up to different data breaches in different locations.”
Details of the data breaches started to emerge on May 27. A newly registered account on cybercrime forum Exploit posted an advertisement where they claimed to be selling 1.3 TB of Ticketmaster data, including more than 560 million people’s information. The hacker claimed to have names, addresses, email addresses, phone numbers, some credit card details, ticket sales, order details, and more. They asked for $500,000 for the download.
One day later, the established hacking group ShinyHunters—which first emerged in 2020 with a data-stealing rampage, before selling 70 million AT&T records in 2021—posted the exact same Ticketmaster ad on rival marketplace BreachForums. At the time, Ticketmaster and its parent company Live Nation had not confirmed any data theft and it was unclear if either post selling the data was legitimate.
By Tess Owen
By Reece Rogers
By Will Knight
By Kim Zetter
On May 30, ShinyHunters also claimed to be selling 30 million customer details and staff information from Santander, putting a $2 million price tag on the information. Both posts on BreachForums have drawn attention to the illegal marketplace, which was recently revived by ShinyHunters after the FBI took the website down on May 15. The posts may, at least in part, be efforts to restore the disrupted forum’s damaged reputation with criminals.
The two hacks were linked to Snowflake’s systems by Israeli security firm Hudson Rock, which, in a now-removed blog post, posted conversations its researchers had with the alleged hacker who claimed to have accessed Snowflake’s systems and exfiltrated data. The hacker claimed they had tried to sell the data back to Snowflake for $20 million. (Hudson Rock did not respond to WIRED’s questions about why it has removed its research).
The Hudson Rock post suggested that an infostealer malware might have compromised a Snowflake employee, enabling hackers to access the company’s systems. Charles Carmakal, chief technology officer at Mandiant, a Google-owned security firm, informed BleepingComputer that their recent investigations reveal the utilization of malware aimed at stealing login credentials for Snowflake accounts.
A spokesperson from Ticketmaster told TechCrunch that the database stolen was stored on Snowflake after the company confirmed a security breach in a SEC filing on Friday. Santander had previously indicated in mid-May, prior to its data being publicly circulated, that it observed unauthorized access to its database on a third-party platform, choosing not to disclose the identity of the third-party, as mentioned in a public statement.
Snowflake’s CISO, Jones, acknowledged a security incident on Friday, highlighting the risk if customer credentials are captured by unauthorized actors. Snowflake, aware of suspicious activities since May 23 and ongoing since mid-April, has informed its customers and urged them to verify account settings and enable multi-factor authentication. A security bulletin from Snowflake disclosed “malicious traffic” from a dubious client “rapeflake” and connections from another client “DBeaver_DBeaverUltimate.” Further, a spokesperson told WIRED they have disclosed all necessary information in company communications.
Cloud security provider Mitiga’s investigations have identified a threat actor targeting entities using Snowflake databases, utilizing a hacking tool called “rapeflake.” Roei Sherman, field CTO at Mitiga, shared with WIRED that one likelihood is that the attackers gained knowledge about Snowflake systems and subsequently extracted data about its clients using automated techniques and account brute-forcing.
Sherman indicates that currently, there is limited information regarding the stolen data or the “rapeflake” tool, but he suggests the breach might have broader implications. Indications are that other companies might be affected as well.
Several of Mitiga’s clients have requested assistance, and Mandiant has communicated to BleepingComputer that it is supporting Snowflake customers. Furthermore, cybersecurity expert Kevin Beaumont has disclosed online that six companies have been impacted. Additionally, the Australian events company Ticketek has announced that customer names and emails on a cloud-hosted platform by a reputable global supplier were accessed, though they did not confirm a link to Snowflake.
“The full extent of the breach has not been ascertained yet,” notes Sherman. “Given Snowflake services thousands of clients, some of which are major corporations, we anticipate uncovering more affected companies.”