Update 6/1/24: Hudson Rock has taken down their report that a hacker breached Snowflake to steal the data, shedding doubt on the hacker’s claims. BleepingComputer reached out to find out why, but the cybersecurity company has yet to reply. Our original report is below.
A threat actor claiming recent Santander and Ticketmaster breaches says they stole data after hacking into an employee's account at cloud storage company Snowflake. However, Snowflake disputes these claims, saying recent breaches were caused by poorly secured customer accounts.
Snowflake's cloud data platform is used by 9,437 customers, including some of the largest companies worldwide, like Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, Yamaha, and many others.
According to cybersecurity firm Hudson Rock, the threat actor claimed they also gained access to data from other high-profile companies using Snowflake's cloud storage services, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts.
To do that, they say they bypassed Okta's secure authentication process by signing into a Snowflake employee's ServiceNow account using stolen credentials. Next, they claim they could generate session tokens to exfiltrate data belonging to Snowflake customers.
"To put it bluntly, a single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting 400 companies are impacted," Hudson Rock said.
"[T]he threat actor shared with Hudson Rock's researchers, which shows the depth of their access to Snowflake servers. This file documents over 2,000 customer instances relating to Snowflake's Europe servers."
The threat actor claims they wanted to blackmail Snowflake into buying back the stolen data for $20 million, but the company didn't reply to their extortion attempts.
Hudson Rock added that a Snowflake employee was infected by a Lumma-type Infostealer in October. The malware stole their corporate credentials to Snowflake infrastructure, as seen in a screenshot shared by the threat actor and embedded below.
Mandiant Consulting CTO Charles Carmakal told BleepingComputer that Mandiant has been assisting Snowflake customers over the past few weeks who were compromised.
The company's investigations so far indicate that the threat actors likely used credentials stolen by information-stealing malware to gain access to victim's Snowflake tenants.
"Any SaaS solution that is configured without multifactor authentication is susceptible to be mass exploited by threat actors. We encourage all cloud users to implement 2factor or better and IP based restrictions," warned Carmakal.
"We anticipate threat actors will replicate this campaign across other SaaS solutions that contain sensitive enterprise data"
BleepingComputer contacted Snowflake about the threat actor's claims that an employee was breached, but a spokesperson said the company had "nothing else to add."
Santander and Ticketmaster spokesperson were not immediately available for comment when contacted by BleepingComputer earlier today.
BleepingComputer was able to confirm that both Santander and Ticketmaster are using Snowflake's cloud storage services.
If you have any information regarding this incident or other Snowflake data theft breaches, you can contact us confidentially via Signal at 646-961-3731 or at tips@bleepingcomputer.com.
Snowflake confirms customer account hacks
Snowflake didn't confirm Hudson Rock's report, instead stating that the attacker compromised customer accounts in these breaches, and didn't exploit any vulnerability or misconfiguration in the company's products.
The cloud storage provider also warned customers on Friday that it's investigating "an increase" in attacks targeting some of their accounts, with Snowflake CISO Brad Jones adding that some customer accounts were compromised on May 23.
"We became aware of potentially unauthorized access to certain customer accounts on May 23, 2024. During our investigation, we observed increased threat activity beginning mid-April 2024 from a subset of IP addresses and suspicious clients we believe are related to unauthorized access," Jones said.
"To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product. Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted."
Jones says Snowflake notified all customers of the attacks and urged them to secure their accounts and data by enabling multi-factor authentication (MFA).
The data cloud company also published a security bulletin with Indicators of Compromise (IoCs), investigative queries, and advice on how potentially affected customers can secure their accounts.
One of the IOCs indicates that the threat actors created a custom tool named 'RapeFlake' to exfiltrate data from Snowflake's databases.
Another one showed the threat actors connecting to databases using the DBeaver Ultimate data management tools, with logs showing client connections from the 'DBeaver_DBeaverUltimate' user agent.