GOT MFA? — Ticketmaster hacked in whats believed to be a spree hitting Snowflake customers Researcher says Snowflake customers hit by mass scraping … “but nobody noticed.”
Dan Goodin – Jun 3, 2024 10:23 pm UTC EnlargeGetty Images reader comments 33
Cloud storage provider Snowflake said that accounts belonging to multiple customers have been hacked after threat actors obtained credentials through info-stealing malware or by purchasing them on online crime forums.
Ticketmaster parent Live Nationwhich disclosed Friday that hackers gained access to data it stored through an unnamed third-party providertold TechCrunch the provider was Snowflake. The live-event ticket broker said it identified the hack on May 20, and a week later, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web.
Ticketmaster is one of six Snowflake customers to be hit in the hacking campaign, said independent security researcher Kevin Beaumont, citing conversations with people inside the affected companies. Australias Signal Directorate said Saturday it knew of successful compromises of several companies utilizing Snowflake environments. Researchers with security firm Hudson Rock said in a now-deleted post that Santander, Spains biggest bank, was also hacked in the campaign. The researchers cited online text conversations with the threat actor. Last month, Santander disclosed a data breach affecting customers in Chile, Spain, and Uruguay.
The tl;dr of the Snowflake thing is mass scraping has been happening, but nobody noticed, and they’re pointing at customers for having poor credentials, Beaumont wrote on Mastodon. It appears a lot of data has gone walkies from a bunch of orgs.
Word of the hacks came weeks after a hacking group calling itself ShinyHunters took credit for breaching Santander and Ticketmaster and posted data purportedly belonging to both as evidence. The group took to a Breach forum to seek $2 million for the Santander data, which it said included 30 million customer records, 6 million account numbers, and 28 million credit card numbers. It sought $500,000 for the Ticketmaster data, which the group claimed included full names, addresses, phone numbers, and partial credit card numbers for 560 million customers. Enlarge / Post by ShinyHunters seeking $2 million for Santander data. Enlarge / Post by ShinyHunters seeking $500,000 for Ticketmaster data.
Beaumont didnt name the group behind the attacks against Snowflake customers but described it as a teen crimeware group whove been active publicly on Telegram for a while and regularly relies on infostealer malware to obtain sensitive credentials. Advertisement
The group has been responsible for hacks on dozens of organizations, with a small number of them including: Online dating app Zoosk (30 million user records) Printing service Chatbooks (15 million user records) South Korean fashion platform SocialShare (6 million user records) Food delivery service Home Chef (8 million user records) Online marketplace Minted (5 million user records) Online newspaper Chronicle of Higher Education South Korean furniture magazine GGuMim (2 million user records) Health magazine Mindful (2 million user records) Indonesia online store Bhinneka (1.2 million user records) US newspaper, the Minneapolis StarTribune (1 million user records) AT&T A Microsoft GitHub account.
According to Snowflake, the threat actor used already compromised account credentials in the campaign against its customers. Those accounts werent protected by multifactor authentication (MFA).
Snowflake also said that the threat actor used compromised credentials to a former employee account that wasnt protected by MFA. That account, the company said, was created for demonstration purposes.
It did not contain sensitive data, Snowflakes notification stated. Demo accounts are not connected to Snowflakes production or corporate systems.
The company urges all customers to ensure all their accounts are protected with MFA. The statement added that customers should also check their accounts for signs of compromise using these indicators.
Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted, the company said in the post.
Snowflake and the two security firms it has retained to investigate the incidentMandiant and Crowdstrikesaid they have yet to find any evidence the breaches are a result of a vulnerability, misconfiguration, or breach of Snowflakes platform. But Beaumont said the cloud provider shares some of the responsibility for the breaches because setting up MFA on the Snowflake is too cumbersome. He cited the breach of the former employees demo account as support.
They need to, at an engineering and secure by design level, go back and review how authentication worksas its pretty transparent that given the number of victims and scale of the breach that the status quo hasnt worked, Beaumont wrote. Secure authentication should not be optional. And theyve got to be completely transparent about steps they are taking off the back of this incident to strengthen things. reader comments 33 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars