Cloud Storage Provider Hacked, 560 Million Users’ Data Stolen

Many companies, among them the ticket sales giant Ticketmaster, had large amounts of customer information stolen in a May 27 data breach at Snowflake, a cloud storage provider. In an SEC filing late last week, Ticketmaster’s parent, Live Nation Entertainment, confirmed unauthorized access to “a third-party cloud database environment” mainly containing data from the online ticket sales platform. 

Security Week writer Ionut Arghire reports that the theft was revealed when the notorious hacking group ShinyHunters claimed it exfiltrated the information of 560 million Snowflake users, and put the data on the black market for $500,000.

“As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware,” Snowflake said in a statement on its community forums. According to the company, there is no evidence that the malicious campaign was the result of a vulnerability or breach of its platform, or of “compromised credentials of current or former Snowflake personnel.”

Nevertheless, more than 400 organizations may have been impacted by the breach, according to the security company Hudson Rock, which held a phone conversation with one of the threat actors. Information belonging to customers of Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, Santander Bank, and State Farm was stolen.

The hacker who spoke to Hudson Rock said he and his affiliates want $20 million from Snowflake in exchange for the data. By way of demonstrating his bona fides, he provided the security company with a CSV file containing data on more than 2,000 customer instances running on Snowflake’s servers. It included information on a Snowflake employee infected with an infostealer in October 2023.

The hackers also claim they compromised a Snowflake employee’s ServiceNow account, and can generate session tokens, which allows them to steal more data. 

Snowflake customers have been advised to disable inactive accounts, to make sure they have multi-factor authorization enabled, to reset credentials for active accounts, and to apply the mitigation recommendations provided by the company.