Snowflake says there’s no evidence attackers breached its platform to hack Ticketmaster

Illustration by Amelia Holowaty Krales / The Verge A Ticketmaster data breach that allegedly includes details for 560 million accounts and another one affecting Santander have been linked to their accounts at Snowflake, a cloud storage provider. However, Snowflake says there’s no evidence its platform is at fault. A joint statement to that effect made last night with CrowdStrike and Mandiant, two third-party security companies investigating the incident, lends additional credibility to the claim. Also, an earlier third-party report saying bad actors generated session tokens and may have compromised “hundreds” of Snowflake accounts has now been removed. Hudson Rock, the security firm behind that report, posted a statement of its own today on LinkedIn: “In accordance to a letter we received from Snowflake’s legal counsel, we have decided to take down all content related to our report.” A post from Snowflake says, “To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product. Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted.” The joint statement says the attacks appear to be a “targeted campaign” focused on accounts without multifactor authentication. Snowflake has also released instructions for customers to review their accounts for unusual activity and ways to set up account and network policies to prevent similar attacks. Snowflake, CrowdStrike, and Mandiant: We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform; We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel; This appears to be a targeted campaign directed at users with single-factor authentication; As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware; and We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems. Ticketmaster's parent company, Live Nation, which waited 11 days to confirm the data breach in a note to investors late Friday evening, has not provided any additional details about what information has been compromised or responded to inquiries.

Snowflake says there’s no evidence attackers breached its platform to hack Ticketmaster
Illustration of a phone with yellow caution tape running over it.
Illustration by Amelia Holowaty Krales / The Verge

A Ticketmaster data breach that allegedly includes details for 560 million accounts and another one affecting Santander have been linked to their accounts at Snowflake, a cloud storage provider. However, Snowflake says there’s no evidence its platform is at fault.

A joint statement to that effect made last night with CrowdStrike and Mandiant, two third-party security companies investigating the incident, lends additional credibility to the claim. Also, an earlier third-party report saying bad actors generated session tokens and may have compromised “hundreds” of Snowflake accounts has now been removed. Hudson Rock, the security firm behind that report, posted a statement of its own today on LinkedIn: “In accordance to a letter we received from Snowflake’s legal counsel, we have decided to take down all content related to our report.”

A post from Snowflake says, “To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product. Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted.”

The joint statement says the attacks appear to be a “targeted campaign” focused on accounts without multifactor authentication. Snowflake has also released instructions for customers to review their accounts for unusual activity and ways to set up account and network policies to prevent similar attacks.

Snowflake, CrowdStrike, and Mandiant:

We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform;

We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel;

This appears to be a targeted campaign directed at users with single-factor authentication;

As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware; and

We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems.

Ticketmaster's parent company, Live Nation, which waited 11 days to confirm the data breach in a note to investors late Friday evening, has not provided any additional details about what information has been compromised or responded to inquiries.