A major Snowflake data breach has been linked to the recent hacks of Santander and Ticketmaster, according to cybersecurity experts. Santander, employing 200,000 people globally, including around 20,000 in the UK, has confirmed the data theft.
It all looks linked tı Snowflake data breach
Santander has apologized for “the concern this will understandably cause,” and is “proactively contacting affected customers and employees directly.” It assured the BBC that “UK customer data was not affected or lost in the hack.” According to a statement posted earlier this month, “following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain, and Uruguay, as well as all current and some former Santander employees of the group, had been accessed.”
Santander emphasized that “no transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords.” It assured customers that its banking systems were unaffected, enabling secure transactions to continue.
On a hacking forum, researchers at Dark Web Informer first spotted an advert posted by a group called ShinyHunters, claiming they had important data.
Santander has not verified these claims. ShinyHunters have previously sold data confirmed to have been stolen from US telecoms firm AT&T and are now selling what they claim is a significant amount of private data from Ticketmaster. The Australian government is working with Ticketmaster to address the issue, and the FBI has offered assistance.
Some experts caution that ShinyHunters’ claims could be a publicity stunt. However, researchers at cybersecurity company Hudson Rock assert that the Santander breach and the apparent Ticketmaster breach are linked to a significant ongoing hack of a large cloud storage company called Snowflake.
Hudson Rock claims to have communicated with the perpetrators of the alleged Snowflake data breach, who assert they gained access to Snowflake’s internal system by stealing the login details of a Snowflake employee. Snowflake, in a statement on Friday, acknowledged “potentially unauthorized access” to a “limited number” of customer accounts. The company clarified that hackers appeared to have used login information to access a demo account owned by a former employee, which “did not contain sensitive data.” Snowflake stated, “We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product.”
In a detailed analysis, Kevin Beaumont provided a comprehensive overview of the massive Snowflake data breach.
Overview of the incident:
- Snowflake is at the center of what appears to be one of the largest data breaches ever, potentially involving the data of millions of individuals. This breach has affected several of Snowflake’s customers, leading to significant data exfiltration.
- The Snowflake data breach was carried out by the ShinyHunters hacking group, which previously targeted companies like AT&T and Ticketmaster. They claim to have accessed vast amounts of data, including 30 million bank account details and 28 million credit card numbers.
- The hackers used infostealing malware to gain access to Snowflake’s databases by exploiting stolen credentials. This was facilitated by Snowflake’s insufficient security measures, such as the lack of multi-factor authentication on demo accounts.
Snowflake’s own demo environment was compromised because it did not employ multi-factor authentication, allowing hackers to gain access using credentials of a former employee. Snowflake issued alerts for potential threat activities, advising customers to monitor for connections from the user agent “rapeflake.” It has engaged cybersecurity firms Crowdstrike and Mandiant for incident response. They acknowledged that the breach was facilitated by single-factor authentication and the use of credentials obtained through malware.
Snowflake’s customers, spanning various sectors, experienced significant data losses. The breach highlights the need for improved security practices among cloud service providers.
While Snowflake attempts to shift some blame to its customers’ security practices, the incident underscores the need for Snowflake to enhance its own security measures and take accountability.
Beaumont advises that to prevent such breaches, robust multi-factor authentication and secure authentication practices must be implemented. Cloud providers need to adopt more stringent security defaults to protect their customers.
Image credits: Kerem Gülen/Midjourney
