Ticketmaster Suffers Snowflake Platform Data Breach Cyberattack That Compromised User Data
Ticketmaster, along with multiple other organizations, experienced a significant data breach due to a cyberattack on the Snowflake platform. Security researchers reported that substantial amounts of information were stolen, impacting millions of users.
Table of Contents
Discovery of the Breach
The breach came to public attention when a notorious hacking group claimed to have exfiltrated the data of 560 million users, demanding $500,000 for the information. Live Nation Entertainment, Ticketmaster's parent company, confirmed the breach in an SEC filing, revealing unauthorized access to a third-party cloud database.
On May 31, Snowflake disclosed that it was investigating a cyber incident affecting a limited number of customers. The threat actors targeted customer accounts using single-factor authentication and leveraged previously obtained credentials. Snowflake emphasized that there was no evidence of a vulnerability or breach of its core platform.
Security Measures and Company Response
Snowflake stated that the compromised credentials belonged to a former employee and were used to access demo accounts, which did not contain sensitive data. The demo accounts were not secured with multi-factor authentication (MFA), unlike Snowflake's corporate systems. The company provided indicators of compromise (IoCs) and recommended mitigations for suspicious account activity.
The cyberattack affected numerous organizations, including Anheuser-Busch, Allstate, Mitsubishi, Neiman Marcus, Progressive, Santander Bank, and State Farm. Santander Bank reported unauthorized access to its databases, compromising customer and employee information. The attack potentially impacted around 400 organizations, with the attackers demanding $20 million from Snowflake.
Investigative Findings
Threat actors claimed to have bypassed Okta protections and generated session tokens, allowing them to steal massive amounts of data. Reports indicated that over 500 demo environment instances were compromised. The Australian Cyber Security Center acknowledged the increased threat activity related to Snowflake customer environments.
Security researcher Kevin Beaumont highlighted that Snowflake's failure to use MFA on demo environments and properly secure employee accounts contributed to the breach. The threat actors, identified as teenagers active on Telegram, used infostealers to access Snowflake databases with stolen credentials.
Recommendations for Snowflake/Tickmaster Customers
Customers are advised to disable inactive accounts, ensure MFA is enabled, reset credentials for active accounts, and follow Snowflake's mitigation recommendations to protect their data.
The Ticketmaster data breach, facilitated through Snowflake, underscores the importance of robust security measures, including multi-factor authentication and vigilant credential management, to safeguard against sophisticated cyber threats.