2024-06-03
Snowflake Breach Affects Ticketmaster, Santander
A data security breach at cloud provider Snowflake has affected several organizations, including Ticketmaster and Santander. In an SEC filing last week, Ticketmaster parent company Live Nation disclosed that they “identified unauthorized activity within a third-party cloud database environment containing Company data.” In mid-May, Santander released a statement noting that they “recently became aware of an unauthorized access to a Santander database hosted by a third-party provider.” In a recent update about the incident, Snowflake indicated that it believed the attack to be the result of credential-stuffing, while also noting that they discovered evidence that a threat actor obtained access credentials belonging to a former Snowflake employee.
Editor's Note
It is unclear at this point how much of this is a Snowflake issue and how much of this is a customer problem. Just because the provider offers stupid authentication options doesn't mean you have to use them.
Johannes Ullrich
Rotate those TicketMaster credentials and enable two-factor authentication. While some of the details about how data was breached are changing, the constant is that reusable credentials were compromised. Your task is to verify that you require MFA for all access to third-party services, as well as understand their level of access and access control mechanisms. Make sure you have access control rules to only allow authorized users and systems to access these services. Are you getting logs to your SIEM? Verify you have plans for rotating credentials if required/compromised.
Lee Neely
Kudos to Snowflake in responding to the reports of the breach so quickly and in identifying the cause was not a breach of their systems. It appears the cause of these breaches are client accounts with weak or compromised passwords married with a lack of Multi-Factor Authentication enabled. This however should not let Snowflake off the hook entirely. As we become more and more reliant on cloud service providers, those same cloud service providers need to take a more proactive approach to ensure their user base has appropriate security controls in place, such as making MFA on by default, better integration with clients' Identify and Access Management platforms, providing better access to security logs, to mention just a few.
Brian Honan
Since the user count on this one is so high, good idea to remind employees that if they used Ticketmaster, they need to update every other place they used the same password. The high impacted user count will also exacerbate finger pointing on who is actually liable for the breach.
John Pescatore
The blame game continues. Credential theft is a top enabler for many security incidents. Evildoers know this and often target third-party service providers to maximize the attack and potential payoff. Bottom line: what’s common between Ticketmaster and Santander is the use of Snowflake; that fact isn’t under dispute.
Curtis Dukes
Read more in
SEC: Form 8-K | Live Nation Entertainment, Inc.
Santander: Statement
Snowflake: Detecting and Preventing Unauthorized User Access
Security Week: Snowflake Data Breach Impacts Ticketmaster, Other Organizations
Wired: The Ticketmaster Data Breach May Be Just the Beginning
The Record: Cloud company Snowflake denies that reported breach originated with its products
The Record: Live Nation confirms Ticketmaster breach after hackers hawk stolen info of 560 million
The Register: Snowflake denies miscreants melted its security to steal data from top customers
Help Net Security: Snowflake denies breach, blames data theft on poorly secured customer accounts
Dark Reading: Ticketmaster Confirms Cloud Breach, Amid Murky Details