Snowflake Says 'No Evidence' Its Platform Is at Fault for Ticketmaster Breach

More than half a billion Ticketmaster users fell victim to a data breach — which came to light last week — where a reported 1.3 terabytes of data is up for sale on the dark web with an asking price of $500,000. Now, the cloud storage provider Snowflake is speaking out, noting that there is no evidence its platform is at fault for the breach.

Snowflake was linked to both the Ticketmaster and Santander data breaches, and an earlier third-party report — which has since been removed — claimed bad actors generated session tokens and may have compromised “hundreds” of Snowflake accounts. The report, posted by the security firm Hudson Rock, said in a LinkedIn post that all content related to the report was taken down “in accordance to a letter we received from Snowflake’s legal counsel.”

Snowflake released a statement alongside third-party security companies CrowdStrike and Mandiant this week — who are also investigating the incident — and assured consumers that “to date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product.”

“Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted,” the joint statement said.

Additionally, the companies claimed that this “appears to be a targeted campaign directed at users with single-factor authentication” and “threat actors have leveraged credentials previously purchased or obtained through infostealing malware.”

“We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee,” the statement continued. “It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems.”

After 11 days, Live Nation Entertainment confirmed that a data breach took place on the Ticketmaster system, though the entertainment giant did not confirm any details regarding the scope or timing of the breach. In an SEC filing, shared on Friday, Live Nation said it identified unauthorized activity on May 20, 2024, and subsequently, launched an investigation.

As reported on Wednesday, the “hacker” group ShinyHunters has claimed it has cracked the Ticketmaster system and accessed some 1.3 terabytes of data, which includes names, addresses, credit card numbers, phone numbers, and payment details, involving 560 million customers globally.

While it is unclear which markets were impacted in the hack, or what percentage of consumers impacted are from what markets, the risk for any impacted consumer is very high, given the highly sensitive data that appears to be involved.

In a statement on X, VX-Underground said ShinyHunters did not carry out the attack itself, but rather, acted as a proxy for the threat group responsible. VX-Underground went on to note that based on the data provided to them by the threat group, “we can assert with a high degree of confidence the data is legitimate.” The date ranges in the database reportedly go back to 2011, with some dates showing information from the mid-2000s.

VX-Underground said the data shared with them includes:

• Full Name
• Email address
• Address
• Telephone number
• Credit card number (hashed)
• Credit card type, authentication type
• All user financial transactions

“The data provided to us, even as a ‘sample’, was absurdly large and made it difficult to review in depth,” VX-Underground said. “We are unable to verify the authenticity of financial information. Briefly skimming the PII present in the dump, it appears authentic.”

While this wouldn’t be the first time Ticketmaster suffered a data breach, this hacker claim would be among the largest ever reported.