Mysterious corporate breaches could link to Snowflake cloud accounts

State of play: A domino effect of events has been unfolding since last week when a hacker group started advertising stolen Ticketmaster customer information for $500,000 on a popular hacker forum.

• A few days after the post, a cybersecurity vendor issued a since-deleted report in which a hacker claimed the group had stolen data from Ticketmaster and Santander Bank via their Snowflake accounts. (The cybersecurity vendor said Monday it had taken down the post after receiving a letter from Snowflake's legal counsel.)
• On Friday, Ticketmaster-parent Live Nation issued a public 8-K filing saying it had identified "unauthorized activity within a third-party cloud database" on May 20. A company spokesperson told TechCrunch that the affected database was hosted on Snowflake.
• Snowflake then issued a joint statement with CrowdStrike and Mandiant over the weekend saying it had zero evidence that recent unauthorized access of user accounts was due to a software vulnerability, company breach or product misconfiguration.
• Snowflake added that it appears these malicious actors leveraged credentials "previously purchased or obtained through infostealing malware" to access some customers' accounts, as well as stolen credentials to access a former employee's demo accounts.

Threat level: The precise extent of the unauthorized access — and whether it's directly tied to these massive, headline-grabbing corporate leaks — is still being determined.

• If the hackers are to be believed, at least 500 million people's personal information, including financial data and home addresses, could have been stolen.
• A top Australian cyber agency warned Saturday that it's tracking "increased cyber threat activity" related to Snowflake customer environments.
• Snowflake said that only a "limited number" of customers have been affected, but it did not provide a specific number. Snowflake's customers include JetBlue, Mastercard, Honeywell and other major companies.
• Mandiant Consulting CTO Charles Carmakal told BleepingComputer that his firm has been assisting compromised Snowflake customers for several weeks already.

What they're saying: "The question is what kind of net increase in risk does that actually add to most people?" Rafe Pilling, director of threat intelligence at Secureworks' Counter Threat Unit, told Axios. "It probably feeds into just the run-of-the-mill volume of scams that most people receive on a day-to-day basis."

Between the lines: Even as companies move to the cloud for data storage and analytics, the same old hacking tactics will follow them.

• All internet-facing databases need to have some sort of MFA added to them to keep attackers out, Pilling said.

But MFA can be difficult for companies to keep up with, Pilling noted.

• Some small businesses might need to share passwords for a single enterprise account that makes MFA hard to enforce. Or an employee could encounter infostealer malware when logging into their personal account on a work laptop.

The big picture: Stolen credentials remain a relatively easy way for attackers to break into accounts.

• IBM reported a 71% increase in the number of attacks relying on valid login credentials in 2023 compared with 2022, for instance.

The bottom line: Snowflake has published a list of attack indicators that can help customers determine if they've been affected.

• The company also recommended that all customers immediately turn on MFA for their accounts and set up a policy to review who has access to these accounts.