A threat actor has reportedly taken responsibility for recent data breaches involving Ticketmaster and Santander Bank, claiming they stole data after hacking an employee account at Snowflake, a third-party cloud storage company. Snowflake, however, has shot down these breach claims, attributing the breaches to poor credential hygiene in customer accounts instead.
“To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product,” the cloud storage giant said in a statement today.
Snowflake’s AI Data Cloud platform serves more than 9,000 customers, including major companies such as Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others.
Alleged Snowflake Breach Details
According to cybersecurity firm Hudson Rock, the threat actor claims to have accessed data from additional high-profile companies using Snowflake’s services, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts.
The method described involved bypassing Okta’s authentication by using stolen credentials to log into a Snowflake employee’s ServiceNow account. From there, they allegedly generated session tokens to extract data from Snowflake customers.
Hudson Rock reported that the threat actor claimed the breach affected up to 400 companies, showing evidence of access to over 2,000 customer instances related to Snowflake’s Europe servers.
Extortion Attempt and Malware Involvement
The threat actor claimed to have attempted to extort Snowflake for $20 million to buy back the stolen data, but Snowflake did not respond. Hudson Rock noted that a Snowflake employee was infected with a Lumma-type Infostealer in October, which stole their corporate credentials. The malware infection was supported by screenshots shared by the threat actor.
Snowflake Responds
Snowflake has confirmed breaches of customer accounts but denied that any vulnerability or misconfiguration in its products was exploited. The cloud storage company stated that they observed unauthorized access to certain customer accounts , which they said is likely unrelated to any flaws in Snowflake’s infrastructure.
“We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity.
Snowflake has notified the “limited” number of customers about these attacks and urged them to enhance their account security by enabling multi-factor authentication (MFA).
Tools and Indicators of Compromise
The company published a security bulletin containing Indicators of Compromise (IoCs), investigative queries, and guidance for securing affected accounts.
One IoC indicates that the threat actors used a custom tool named “RapeFlake” to exfiltrate data from Snowflake’s databases. Another showed the use of “DBeaver Ultimate” data management tools, with logs indicating connections from the “DBeaver_DBeaverUltimate” user agent.
Snowflake also shared query to identify access from suspected clients and how to disable a suspected user. But this might not be enough. A very important step here is:
“If you have enabled the ALLOW_ID_TOKEN parameter on your account, the user must be left in the disabled state for 6 hours to fully invalidate any possible unauthorized access via this ID token feature. If the user is re-enabled before this time the attacker may be able to generate a new session using an existing ID token, even after the password has been reset or MFA has been enabled.”
While a threat actor claims to have breached Snowflake and accessed data from numerous high-profile companies, Snowflake maintains that these breaches resulted from compromised customer accounts rather than any inherent vulnerabilities in their systems. Snowflake continues to investigate the incidents and has taken steps to improve customer account security.
