8 min Security

List of Snowflake customers affected since Ticketmaster leak continues to grow

Insight: Security Platforms

List of Snowflake customers affected since Ticketmaster leak continues to grow

The list of companies whose data has been captured in the massive data theft from Snowflake environments keeps growing. By now, it’s safe to say that this is the largest leak of 2024, at least so far. It’s time for a reconstruction.

Anyone who regularly visited Techzine or other IT news sites in recent months would read a news item every few weeks about yet another company whose Snowflake environment had been robbed of customer data. Initially, it was not always clear that these incidents were related.

Only in May did it become clear that the reports trickling in were quite similar. Most of the thefts probably took place in April or May this year. They almost always involved info stealer campaigns and captured login details, at least in those cases where the modus operandi is clear.

It is useful to summarise which companies have been affected so far. The vast majority remains unknown, although research by security company and Google unit Mandiant, which conducted the study together with Snowflake, shows that the attacks have victimised at least 165 organizations.

Mandiant found no evidence that the unauthorised access to Snowflake customer accounts was due to a vulnerability in Snowflake’s systems. Compromised customer data caused each incident. There was nothing wrong with the lock, but the affected companies had left their key in there, as it were.

Leak at Ticketmaster

The news in late May about Ticketmaster, which lost the data of 560 million customers, got the ball rolling. Ticketmaster is a well-known player and a near-monopolist in ticket sales for concerts and performances by the biggest celebrities—a high-profile case, in other words.

The more than 1.3 terabytes of data stolen from the company allegedly included names and addresses, phone and order information, and partial credit card information. The data surfaced on the criminal marketplace BreachForums, owned by the criminals of the threat group ShinyHunters.

They offered the data for sale for 500,000 dollars (462,000 euros). However, it is certainly not clear whether this group is also responsible for the data theft, is affiliated with it or is simply an intermediary. BreachForums had been taken offline by the FBI shortly before this incident. Getting it back on the air was apparently no big deal.

Regardless, it forced Ticket Master’s publicly traded US parent company Live Nation to report the theft to the American stock market watchdog SEC. Or rather, it reported an ‘unauthorized activity within a third-party cloud database environment‘. It was clear to anyone who could put two and two together that this had to be Ticketmaster’s Snowflake environment.

Concert tickets put online

The criminals wanted to show they meant business, so they posted 39,000 ‘print at home’ tickets for 154 performances on the internet. This was to get the entertainment giant to pay up after all. These were upcoming concerts by stars such as Aerosmith, Alanis Morissette, Bruce Springsteen, Cirque du Soleil, Metallica, Pearl Jam, and the Red Hot Chili Peppers. This was done not by ShinyHunters but by a hacker (or group) named Sp1derHunters.

Even though the Ticketmaster case may be the most high-profile, it was not the first report of data theft from a Snowflake environment. On May 14, the Spanish bank Santander (with branches worldwide) already announced that someone had gained unauthorized access to the bank’s database environment, hosted by a third party.

The Santander data theft reportedly occurred back in April of this year. It involved data from more than 30 million of the bank’s customers and employees in Chile, Spain, and Uruguay.

‘No vulnerability in Snowflake systems’

Snowflake’s CISO made it clear several times in communications about the thefts that Snowflake was not at fault. In response to such a claim by cybersecurity specialist Hudson Rock, the Boston-based company reported that there was nothing to suggest that the malignant series of actions was caused by a vulnerability, misconfiguration, or breach of its platform.

While a personal demo account of a former Snowflake employee had been compromised, it contained no sensitive information that could have led to the series of incidents. Hudson Rock retracted their initial claim.

Attackers allegedly gained access via captured login information, sometimes years old and not recently rotated, for environments lacking multifactor authentication. Also allegedly missing in these cases was a network allow-list, which ensures that only traffic from trusted locations gets access. In each case, one or more hackers (designated UNC5537) managed to break in this way. Research by Mitiga, another cloud security solution provider, confirmed this scenario.

Tip: Ticketmaster incident shows: attackers no longer break in, but log in

No public confirmation

It is good to note that Santander did not publicly confirm the link between itself and Snowflake. Everyone assumes the connection because all signals point in that direction, like in the Ticketmaster case. The company reported ‘unauthorized access to a third-party cloud environment’ without mentioning Snowflake, ShinyHunters, UNC5537, Sp1derHunters, or any threat group.

This is probably to disguise the fact that the bank carries part of the blame, because it seems to have inadequately applied basic security measures. This is actually true of all affected companies. Snowflake has since introduced a new feature that allows admins to make multifactor authentication mandatory. However, the responsibility to implement this still lies with the customer.

Confirmation that the Santander incident was part of something larger went through the grapevine. For example, BleepingComputer reported that both TicketMaster and Santander indeed use Snowflake environments. Snowflake confirmed data thefts without naming names, mainly to make the point that the company itself was not to blame.

Auto parts dealer

Meanwhile, news reports continued to trickle in. Another big catch, made public on June 6, was Advance Auto Parts. A completely unknown entity in Europe, but a major player in North America and several Caribbean islands in the field of (used) auto parts. The company reported the theft of some 2.3 million pieces of customer data to prosecutors in the US state of Maine.

The number of accounts actually affected may be much bigger, as this data came from a database containing the data of 380 million customers, captured between April 14 and May 24. This included credit card data, employee information, and loyalty card numbers. This is good for some 3 terabytes of data that was offered for sale for 1.5 million dollars. The notification to the authorities came a good month after the original news broke.

Same tactic used multiple times

The hackers in this case, calling themselves “Sp1d3r” (a pattern is becoming apparent), managed to hack into Advance Auto Parts’ Snowflake account presumably via infostealer malware, according to Mandiant, which assisted Snowflake in this case as well. It appears that this tactic was successfully used at various companies, mostly in the period mid-April/mid-May. In any case, this third incident ran the counter up to 970 million potentially stolen credentials.

A Snowflake environment from storage provider Pure Storage also proved not secure enough. This involved one data analytics workspace, where the company stored telemetry for customer service purposes. Potentially captured data involved company names, LDAP user names, e-mail addresses, and the version number of the software used by Pure Storage’s customers. According to the company, the thieves didn’t get their hands on directly compromising material, such as passwords or customer data.

Retail chains, insurers and schools

Further joining the ranks of affected companies was the American luxury department store chain Neiman Marcus Group. It emerged in late June that it lost the data of 60,000 customers to cybercriminals. At stake were transaction data, email addresses, gift card numbers, purchase and order information, and employee data. The data went for sale for 150,000 dollars.

Other companies robbed of customer data include brewery Anheuser-Busch, automaker Mitsubishi, insurance companies Allstate, Progressive and State Farm, and Los Angeles Unified, the second-largest public school district in the US. The latter involved 11 GB of records, including the data of 26,000 students. The asking price here was ‘only’ 1,000 bucks. For many other affected companies, the extent of the damage and the ransom demand is not clear.

Nude pictures

However, Mandiant recently stated that cybercriminals are asking, on average, between 300,000 and 5 million dollars (between 280,000 and 4.6 million euros) for decryption or return of the captured data. The hackers submitted such demands to at least 10 companies, the cybersecurity firm said.

The hackers, allegedly operating from North America and Turkey, are extremely brazen, a company spokesman said. Researchers themselves faced threats, including an attempt to intimidate them with AI-generated ‘nude photos’ of a security specialist involved to dissuade them from further sleuthing.

Overlap with other networks

As we previously reported, according to Mandiant, it is possible that UNC5537 has significant overlap with the group Scattered Spider, whose leader was recently arrested in Spain. It remains unclear how these loose-knit criminal partnerships actually work.

Mandiant has issued instructions for companies that have fallen victim to this extensive data theft. Although only a fraction of the cases have been brought to light, more cases are bound to become public in the future. However, we may never know how big the theft really was.