Ticketmaster and Santander data vulnerability related to Snowflake cloud storage

A suspected data breach affecting 560 million Ticketmaster accounts and another confirmed by Santander Bank may have originated from attacks on cloud storage accounts by a company called Snowflake. According to Bleeping Computer, an investigation by cybersecurity firm Hudson Rock reports that a bad actor accessed Ticketmaster and Santander using the stolen credentials of a Snowflake employee.

According to Hudson Rock, the attacker bypassed the Okta authentication service by using these credentials and then generated session tokens to obtain a trove of information from Snowflake. In addition to Ticketmaster and Santander Bank, Hudson Rock believes the attacker may have accessed hundreds of other Snowflake customers. Some of the big brands that use this cloud storage service include AT&T, HP, Instacart, DoorDash, NBCUniversal, and Mastercard.

According to Bleeping Computer , the attackers appear to be a hacker group called ShinyHunters, which attempted to sell Ticketmaster data on the dark web for $500,000. ShinyHunters also claimed responsibility for the Santander attack and offered to sell information believed to belong to more than 30 million customers.

Today we spoke with multiple individuals privy to and involved in the alleged TicketMaster breach.

Sometime in April an unidentified Threat Group was able to get access to TicketMaster AWS instances by pivoting from a Managed Service Provider. The TicketMaster breach was not…

— vx-underground (@vxunderground) May 30, 2024

Snowflake appeared to refute Hudson Rock’s findings in its latest response, saying that while investigating “potential unauthorized access to certain customer accounts,” it “observed Increased threat activity began in mid-April 2024 from a group of IP addresses and suspicious partners that we believe are involved in unauthorized access.”

More details about those findings are available [here], but the company said that although a bad actor accessed a “demo account” belonging to a former employee, it did not contain sensitive information. have a cold. They stated that “To date, we do not believe this activity is due to any vulnerabilities, misconfigurations, or malicious activity in the Snowflake product.”

Ticketmaster has not yet confirmed any breach, but malware tracker vx-underground said it can confirm “with a high degree of confidence” that the leaked data was legitimate. It noted that some of the leaked information dates back to the mid-2000s and included full names, emails, addresses, phone numbers, encrypted credit card numbers and more.

Earlier this month, Santander published a statement confirming that “some information” of customers in Chile, Spain and Uruguay had been accessed. Techlade reached out to Ticketmaster and Santander for comment but did not immediately receive a response.