A threat actor has reportedly taken responsibility for recent data breaches involving Ticketmaster and Santander Bank, claiming they stole data after hacking an employee account at Snowflake, a third-party cloud storage company. Snowflake, however, has denied these breach claims, attributing the breaches to poorly secured customer accounts instead.
“To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product,” the cloud storage giant said in a statement today.
Snowflake’s AI Data Cloud platform serves more than 9,000 customers, including major companies such as Adobe, AT&T, Capital One, DoorDash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others.
Alleged Snowflake Breach Details
According to cybersecurity firm Hudson Rock, the threat actor claims to have accessed data from additional high-profile companies using Snowflake’s services, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts.
The method described involved bypassing Okta’s authentication by using stolen credentials to log into a Snowflake employee’s ServiceNow account. From there, they allegedly generated session tokens to extract data from Snowflake customers.
Hudson Rock reported that the threat actor claimed the breach affected up to 400 companies, showing evidence of access to over 2,000 customer instances related to Snowflake’s Europe servers.
Extortion Attempt and Malware Involvement
The threat actor claimed to have attempted to extort Snowflake for $20 million to buy back the stolen data, but Snowflake did not respond. Hudson Rock noted that a Snowflake employee was infected with a Lumma-type Infostealer in October, which stole their corporate credentials. The malware infection was supported by screenshots shared by the threat actor.
Snowflake Responds
Snowflake has confirmed breaches of customer accounts but denied that any vulnerability or misconfiguration in its products was exploited. The cloud storage company stated that they observed unauthorized access to certain customer accounts , which they said is likely unrelated to any flaws in Snowflake’s infrastructure.
“We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity.
Snowflake has notified the “limited” number of customers about these attacks and urged them to enhance their account security by enabling multi-factor authentication (MFA).
Tools and Indicators of Compromise
The company published a security bulletin containing Indicators of Compromise (IoCs), investigative queries, and guidance for securing affected accounts.
One IoC indicates that the threat actors used a custom tool named “RapeFlake” to exfiltrate data from Snowflake’s databases. Another showed the use of “DBeaver Ultimate” data management tools, with logs indicating connections from the “DBeaver_DBeaverUltimate” user agent.
While a threat actor claims to have breached Snowflake and accessed data from numerous high-profile companies, Snowflake maintains that these breaches resulted from compromised customer accounts rather than any inherent vulnerabilities in their systems. Snowflake continues to investigate the incidents and has taken steps to improve customer account security.
