Snowflake account hacks linked to Santander, Ticketmaster breaches, Ticketmaster Confirms Act

Snowflake account hacks linked to Santander, Ticketmaster breaches, Ticketmaster Confirms Act

A threat actor claiming recent Santander and Ticketmaster breaches says they stole data after hacking into an employee’s account at cloud storage company Snowflake. However, Snowflake disputes these claims, saying recent breaches were caused by poorly secured customer accounts.

Snowflake’s cloud data platform is used by 9,437 customers, including some of the largest companies worldwide, like Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, Yamaha, and many others.

According to cybersecurity firm Hudson Rock, the threat actor claimed they also gained access to data from other high-profile companies using Snowflake’s cloud storage services, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts.

To do that, they say they bypassed Okta’s secure authentication process by signing into a Snowflake employee’s ServiceNow account using stolen credentials. Next, they claim they could generate session tokens to exfiltrate data belonging to Snowflake customers.

“To put it bluntly, a single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting 400 companies are impacted,” Hudson Rock said.

“The threat actor shared with Hudson Rock’s researchers, which shows the depth of their access to Snowflake servers. This file documents over 2,000 customer instances relating to Snowflake’s Europe servers.”

The threat actor claims they wanted to blackmail Snowflake into buying back the stolen data for $20 million, but the company didn’t reply to their extortion attempts.

Live Nation has confirmed that Ticketmaster suffered a data breach after its data was stolen from a third-party cloud database provider, which is believed to be Snowflake.

“On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing company data (primarily from its Ticketmaster LLC subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened,” Live Nation shared in a Friday night SEC filing.

“On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web.”

“We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.”

While the breach has allegedly exposed the data of over 560 million Ticketmaster users, the company states that they do not believe that the breach will have a material impact on the overall business operations or its financial condition.

This admission comes after a threat actor known as Shiny Hunters has been attempting to sell the Ticketmaster data on a hacking forum for $500,000.

The allegedly stolen databases supposedly contain 1.3TB of data, including customers’ full details (i.e., names, home and email addresses, and phone numbers), as well as ticket sales, order, and event information for 560 million customers.

In a conversation with the threat actor, ShinyHunters told BleepingComputer that there were interested buyers in the data. They believed that one of the buyers who approached them was Ticketmaster themselves.

When asked how they stole the data, the threat actor said they “can’t say anything about this.”

However, today, more information was revealed on how the threat actors gained access to the Ticketmaster database and possibly the data of many other customers.

Alon Gal of Hudson Rock spoke to one of the threat actors behind the attack, who claimed they were responsible for recent Santander and Ticketmaster data breaches and said they stole the data from cloud storage company Snowflake.

According to the threat actor, they used credentials stolen using information-stealing malware to breach a Snowflake employee’s ServiceNow account, which they used to exfiltrate information from the company. This information included unexpired auth tokens that could be used to create session tokens and access customer accounts to download data.

The threat actor claims that they used this method to steal data from other companies, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts.

Progressive and Mistubishi disputed the threat actor’s claims, telling BleepingComputer that there is no indication of any breach of their systems or data.

Snowflake says the recent breaches were caused by poorly secured customer accounts whose credentials were stolen and did not have multi-factor authentication enabled.

The company added that the attacks began in mid-April, with customers’ data first being stolen on May 23. Snowflake has shared IOCs from the attacks so that customers can query logs to determine if they were breached.

Mandiant Consulting CTO Charles Carmakal told BleepingComputer that Mandiant has been investigating compromised Snowflake clients over the past few weeks and believes their Snowflake tenants were breached using stolen credentials.

When we contacted Snowflake to confirm the threat actor’s claims that they hacked an employee’s account, instead of disputing them, they said they had nothing further to share.

A threat actor known as ShinyHunters is claiming to be selling a massive trove of Santander Bank data, including information for 30 million customers, employees, and bank account data, two weeks after the bank reported a data breach.

ShinyHunters is known for selling and leaking data from numerous companies over the years, including this week’s alleged massive Ticketmaster data breach impacting 560 million people.
They’re also the owner of BreachForums, a notorious online community trafficking in the sale and leaking of stolen data which has survived several law enforcement takedowns over the past couple of years

Two weeks ago, Spain’s largest bank, Santander, disclosed a data breach after detecting unauthorized access to a database hosted by a third-party provider.

The company’s investigation determined that the threat actor accessed data for employees and customers in Chile, Spain, and Uruguay.

“Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed,” reads a statement from Santander.

“Customer data in all other Santander markets and businesses are not affected.”

Fast forward two weeks, and as first spotted by Dark Web Informer, ShinyHunters is now claiming to sell the data for Santander customers in Chile, Spain, and Uruguay for $2 million, the same data the bank reported was stolen.

ShinyHunters claims that the stolen data contains the personal information of 30 million customers and employees, 28 million credit card numbers, and 6 million account numbers and balances.
As part of the sale listing, the threat actor also shared samples of the data that contains the listed information but cannot be confirmed to belong to Santander.

It should be noted that Santander’s Q1 2024 financial report states that there are only 19.5 million customers in those countries, rather than tht 30 million claimed by the threat actor.

This sales listing comes soon after the FBI seized BreachForums on May 15th, which was operated by ShinyHunters and another threat actor known as Baphomet.

While ShinyHunters says that Baphomet was arrested, he quickly restored the BreachForums site from a backup to a new domain.

Since then, the threat actor posted the sale of Ticketmaster and Santander, which some feel was done to restore the reputation of the site after its takedown by law enforcement.

However, what makes these sales unusual is that both were first listed on the Russian-speaking Exploit hacking forum days before they were listed on the newly-restored BreachForums.

These sales were listed under the accounts of new members, with no reference to BreachForums or ShinyHunters, making others believe the sale on BreachForums is a fake.

However, ShinyHunters has commonly acted as a data breach broker for other threat actors in the past, and it is not uncommon for these threat actors to create new aliases on various forums to sell stolen data.

While TicketMaster has not confirmed whether a data breach occurred, ShinyHunters has a reputation for selling valid data breaches in the past.

In 2021, Shiny Hunters claimed to be selling the stolen data of 73 million AT&T customers, which the company repeatedly denied to BleepingComputer.

“I don’t care if they don’t admit. I’m just selling,” ShinyHunters told BleepingComputer at the time.

In 2024, after the AT&T data was leaked on a hacking forum, AT&T finally confirmed that the data was legitimate and that they had suffered a breach.

In the past, ShinyHunters has breached or leaked the data for numerous companies, including Wattpad, Tokopedia, Microsoft’s GitHub account, BigBasket, Nitro PDF, Pixlr, TeeSpring, Promo.com, Mathway, and many more.

CATEGORIES
Share This

COMMENTS

Wordpress (0)
Disqus ( )