Getty Images
Cloud storage provider Snowflake said accounts belonging to several customers were hacked after bad actors obtained credentials through information-stealing malware or by purchasing them on online criminal forums.
Ticketmaster parent Live Nation, which revealed Friday that hackers gained access to data stored through an unnamed third-party vendor, told TechCrunch that the vendor was Snowflake. The live event ticket broker said it identified the hack on May 20, and a week later a “criminal threat actor offered for sale what it claimed was user data from the business via the dark web.
Ticketmaster is one of six Snowflake customers affected by the hacking campaign, independent security researcher Kevin Beaumont said, citing conversations with people at the affected companies. The Australian Signals Directorate said on Saturday it was aware of “successful compromises from multiple companies using Snowflake environments”. Researchers at security firm Hudson Rock said in a now-deleted post that Santander, Spain’s largest bank, was also hacked in this campaign. Researchers cited online text conversations with the threatening actor. Last month, Santander revealed a data breach affecting customers in Chile, Spain and Uruguay.
“Snowflake’s problem is that a massive scraping took place, but no one noticed, and they are accusing the customers of having bad credentials,” Beaumont wrote on Mastodon. “It appears that a lot of data was submitted by a number of organizations. »
News of the hacks came weeks after a hacking group calling itself ShinyHunters took credit for breaching Santander and Ticketmaster and released data purportedly belonging to both as evidence. The group took to a Breach forum to demand $2 million for Santander’s data, which it said included 30 million customer records, 6 million account numbers and 28 million credit card numbers. It sought $500,000 for Ticketmaster data, which the group said included the full names, addresses, phone numbers and partial credit card numbers of 560 million customers.
Beaumont did not name the group behind the attacks on Snowflake customers, but described it as “a teenage crimeware group that has been publicly active on Telegram for some time and regularly relies on infostealer malware to obtain sensitive credentials.
The group has been responsible for hacking dozens of organizations, a small number including:
According to Snowflake, the threat actor used already compromised account credentials in the campaign against its customers. These accounts were not protected by multi-factor authentication (MFA).
Snowflake also said the threat actor used compromised credentials on a former employee account that was not protected by MFA. This account, the company said, was created for demonstration purposes.
“It did not contain sensitive data,” Snowflake’s notice said. “Demo accounts are not connected to Snowflake production or enterprise systems.”
The company urges all customers to ensure that all of their accounts are protected by MFA. The statement added that customers should also check their accounts for signs of compromise using these indicators.
“Throughout our ongoing investigation, we have promptly notified the limited number of customers who we believe may have been affected,” the company said in its post.
Snowflake and the two security firms it retained to investigate the incident, Mandiant and Crowdstrike, said they had not yet found evidence that the breaches resulted from a “vulnerability, improper configuration or violation of the Snowflake platform. But Beaumont said the cloud provider shares some of the blame for the breaches because setting up MFA on Snowflake is too cumbersome. He cited the violation of the former employee’s demo account as support.
“They need to, at an engineering and security by design level, go back and review how authentication works because it’s pretty transparent that given the number of victims and the scale of the breach , the status quo has not worked,” Beaumont wrote. “Secure authentication should not be optional. And they need to be completely transparent about the steps they’re taking in the wake of this incident to strengthen things.
News Source : arstechnica.com
Gn bussni
