Cloud company Snowflake denies that reported breach originated with its products

The cloud storage provider Snowflake is denying that its products were to blame for an apparent data breach impacting the company’s clients, including Ticketmaster and Santander Bank. 

This week, hackers with the ShinyHunters group claimed to have stolen personal data belonging to 560 million Ticketmaster customers and 30 million Santander customers. 

On Friday, researchers at the firm Hudson Rock published an analysis of online interactions with hackers who claimed they had breached Snowflake’s system to steal a huge trove of data from the two companies, among others yet to be named. The hackers had put the data up for sale on the Russian language cybercrime forum, exploit[.]in.

Hudson Rock's post has since been removed from its website, which the company attributed on Monday to a letter "received from Snowflake's legal counsel."

According to the original post, the intruders were able to sign into a Snowflake employee’s ServiceNow account using stolen credentials, and from there were able to generate session tokens.  

“To put it bluntly, a single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting 400 companies are impacted,” Hudson Rock wrote. ServiceNow is a separate IT management platform.

In a post on Friday, Snowflake did not respond directly to the researchers’ claims but denied that a vulnerability within its systems was to blame for the accessing of customer data. The company said it is “investigating an increase in cyber threat activity” targeting some customer accounts.

“Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity,” they said. “To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product.”  

Snowflake acknowledged that a former employee’s demo account was accessed through stolen credentials, but said it did not contain sensitive data. They also said there is no “pathway for customers’ credentials to be accessed and exfiltrated from the Snowflake production environment.”

The company’s response appeared to be at odds with claims by Hudson Rock that an apparently legitimate .csv file of stolen documents showed over 2,000 customer instances connected to Snowflake’s Europe servers.

The files also purportedly showed that a Snowflake employee was infected by infostealer malware last October. According to the threat actor, these were the credentials used to carry out the attack. 

Santander acknowledged an incident on May 14, releasing a statement that “certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed."

"No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords," they said. 

Two weeks later, ShinyHunters claimed to have 30 million people’s bank account details, along with 28 million credit card numbers. Their claims have not been verified. 

Ticketmaster has not yet confirmed that customer data was accessed, but the cybercriminals claim to have information belonging to more than a half-billion customers, including partial credit card details.

Editor’s Note: Story updated June 3 to note why Hudson Rock removed its report from its website.