Today, Snowflake, a digital storage provider recently surrounded by controversy due to the Ticketmaster breach, issued a joint statement with industry giants CrowdStrike and Mandiant. This statement addresses their preliminary findings in the ongoing investigation into a targeted threat campaign against some Snowflake customer accounts.
Mandiant and CrowdStrike, both reputable players in Digital Forensics and Incident Response (DFIR), have a track record of handling the world’s most significant network compromises. Their involvement underscores the seriousness with which Snowflake is addressing the situation. Kudos to Snowflake for hiring not just one but two top-tier DFIR consulting firms – a clear sign of their commitment to transparency and security.
The joint statement outlines several critical preliminary findings:
- No Platform Vulnerability or Breach: There is no evidence suggesting that the unauthorized activity was due to a vulnerability, misconfiguration, or breach of Snowflake’s platform.
- No Compromised Credentials of Snowflake Personnel: There is no evidence that the activity was caused by compromised credentials of current or former Snowflake employees.
- Targeted Campaign Against Single-Factor Authentication: The threat actors appear to have targeted users with single-factor authentication, leveraging credentials obtained through infostealing malware.
- Former Employee’s Demo Account Accessed: The investigation found that personal credentials were used to access demo accounts belonging to a former Snowflake employee. These demo accounts did not contain sensitive data and were not connected to Snowflake’s production or corporate systems. The access was possible because Okta or Multi-Factor Authentication (MFA) did not protect the demo account.
Snowflake has promptly informed the limited number of affected customers and, along with Mandiant, has engaged in outreach to potentially impacted organizations.
The main takeaway from this statement is that Snowflake is removing itself and confidently stating that it was not their internal systems that were breached. This is important because the perpetrator who took responsibility for the breach of Ticketmaster implied he had access to more than 400 companies’ data hosted with Snowflake.
Here’s a quick recap to understand how we got here:
- May 20, 2024: Live Nation Entertainment (Ticketmaster) discovered unauthorized activity in a third-party cloud database.
- May 27, 2024: A dark web user claimed to have 560 million Ticketmaster user data for sale.
- May 29, 2024: The threat group ShinyHunters reposted the data for sale on BreachForums, giving the story immediate credibility.
- May 30, 2024: Cybersecurity group vx-underground verified the data’s legitimacy.
- May 31, 2024: Reports linked the Ticketmaster breach to a breach in Snowflake’s systems.
- May 31, 2024: Snowflake released a security bulletin acknowledging a breach but did not confirm the exact details.
- June 2, 2024: Snowflake releases the joint statement denying a breach of internal/production systems.
The real cause for the narrative shift and subsequent Snowflake involvement was Hudson Rock’s report of a conversation with the threat actor responsible for the breaches of Ticketmaster and Santander. According to the perpetrator, these breaches were facilitated by compromising Snowflake. The actor claimed access to data from over 400 companies using Snowflake and demanded $20 million from Snowflake to prevent the data from being published.
Hudson Rock removed its blog post a little less than a day after publishing it for an undisclosed reason. Stack Diary reached out for comment but has received no response.
We understand that Snowflake is denying this narrative and that its customers (Ticketmaster, Santander, and others) are at fault.
Here’s what we know:
- In their SEC filing, Ticketmaster says company data was accessed through a third-party cloud database. This is the service that Snowflake provides.
- Journalists from TechCrunch, 404 Media, and numerous cybersecurity groups were given sample data of the Ticketmaster breach; all of the said parties said that they believe “with great confidence” that the stolen data is real.
- In the TechCrunch article above, a Ticketmaster spokesperson confirmed that “its stolen database was hosted on Snowflake”.
- As of June 2, 2024 – Ticketmaster has not yet started sending email notifications warning its users about the data breach.
If we consider that Snowflake said that “this appears to be a targeted campaign directed at users with single-factor authentication,” we can assess that perhaps Ticketmaster had single-factor auth enabled. We also know, as per Snowflake, that the Threat Actor had been messing with Snowflake’s user accounts since mid-April 2024, and furthermore, they said, “We became aware of potentially unauthorized access to certain customer accounts on May 23, 2024.”.
This would be embarrassing not only for Ticketmaster but also for Santander, which the same Threat Actor also claimed responsibility for.
We’ll be watching new developments on this story closely.
