Hacker claims to have compromised Snowflake to steal data from Ticketmaster, Santander and many more

A recent series of high-profile data breaches involving Santander, Ticketmaster, and other major companies have been linked to an attack on the cloud storage company Snowflake. The attacker claims to have accessed sensitive data by exploiting a Snowflake employee's account.

The attacker apparently gained access through a Snowflake employee’s ServiceNow account using stolen credentials. then bypassed Okta’s secure authentication to generate session tokens, allowing data exfiltration from multiple Snowflake customers.

The attacker claims to have data from approximately 400 companies, including Adobe, AT&T, Capital One, Mastercard, Anheuser-Busch, State Farm, Mitsubishi, Progressive and more. They attempted to extort $20 million from Snowflake in exchange for the stolen data.

Snowflake disputes these claims, attributing the breaches to poorly secured customer accounts. They deny any vulnerability or misconfiguration within its products caused the breach and assert that the attacks resulted from customer accounts with weak security practices.

A security advisory from Snowflake notes increased attack activity beginning mid-April 2024, and confirmed a former employee’s demo account was accessed but stated it did not contain sensitive data. The advisory has published indicators of compromise for customer review and urged customers to secure their accounts with multi-factor authentication (MFA).

Hudson Rock has investigated and reported on the attack details, confirmed the threat actor’s claims with evidence

Snowflake customers are recommended to anable Multi-Factor Authentication (MFA) or enforce SSO only login, check and monitor for suspicious activity on the accounts through the published indicators of compromise.

Update - As of 16th of June 2024, hacker operation UNC5537 is starting data extortion against organizations impacted by the Snowflake breach, with up to 10 affected entities pressured to pay ransoms ranging from $300,000 to $5 million.

As of 28th of June 2024, Ticketmaster has begun notifying customers of the data breach. They are downplaying the impact as affecting "more than 1,000 people". Ticketmaster has offered one year of free identity monitoring and recommends vigilance against identity theft and fraud.

As of 5th of November 2024, Canadian authorities report they have arrested Alexander "Connor" Moucka, a 26-year-old from Ontario, Canada, in connection with the Snowflake data breach. Acting on a U.S. provisional arrest warrant, Canadian law enforcement detained Moucka on October 30, 2024 in Ontario. While specific charges remain undisclosed, Moucka appeared in court on Tuesday, with extradition to the U.S. pending.