Cloud data warehousing giant Snowflake has disclosed a major security breach affecting an unknown number of its corporate customers, including entertainment titans Ticketmaster and Live Nation. The incident exposes potential vulnerabilities in the rapidly growing cloud data ecosystem.
SecureWorld News reported last week on the Ticketmaster/Live Nation alleged breach affecting 560 million users.
Snowflake provides a centralized data platform that allows companies to store, manage, and analyze massive volumes of structured and semi-structured data entirely in the cloud. Its client roster includes more than 7,000 organizations spanning healthcare, finance, retail, technology, and more.
In an advisory released late Friday, Snowflake revealed that an "unauthorized actor" gained access to its internal systems through compromised employee credentials. This allowed the threat actor to access and exfiltrate data hosted on the Snowflake platform across multiple customer accounts.
The breach impacted at least Ticketmaster and Live Nation, its parent company, which both issued alerts warning about potential unauthorized access to customer data stored in Snowflake.
"The illegally obtained data included names, email addresses, physical addresses and other customer information," Live Nation CEO Michael Rapino stated. "We have no indication that payment card data or passwords were compromised."
While Ticketmaster and Live Nation have yet to specify exactly how many customers were affected, the potential data exposure could be widespread given their status as two of the world's largest live entertainment ticketing and event companies.
Brad Jones, CISO at Snowflake, issued a Joint Statement regarding Preliminary Findings in Snowflake Cybersecurity Investigation on its Snowflake Forums. Here's an excerpt:
"Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, are providing a joint statement related to our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts.
Our key preliminary findings identified to date:
- We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake's platform;
- We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel;
- This appears to be a targeted campaign directed at users with single-factor authentication;
- As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware; and
- We did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake's production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake's corporate and production systems.
Throughout the course of the investigation, Snowflake has promptly informed the limited number of Snowflake customers who it believes may have been affected. Mandiant has also engaged in outreach to potentially affected organizations."
Beyond the headline Ticketmaster breach, questions swirl around what other major Snowflake customers like DocuSign, DoorDash, and Instacart may have also had sensitive data accessed. The full scope of the infiltration remains unclear.
Cybersecurity experts warn the Snowflake incident reflects an escalation of supply chain and third-party data security risks as companies increasingly rely on centralized cloud services providers. Concentrated data stores equate to concentrated liability—and concentrated damage from breaches.
Snowflake stated it has taken steps to secure its systems, notified impacted customers, and is working with security firms and law enforcement agencies to investigate the incident's origins and magnitude. More from its joint statement:
"We recommend organizations immediately take the following steps:
- Enforce Multi-Factor Authentication on all accounts;
- Set up Network Policy Rules to only allow authorized users or only allow traffic from trusted locations (VPN, Cloud workload NAT, etc.); and
- Impacted organizations should reset and rotate Snowflake credentials.
In addition, please review Snowflake's investigative and hardening guidelines for recommended actions to assist investigating potential threat activity within Snowflake customer accounts. This investigation is ongoing. We are also coordinating with law enforcement and other government authorities."
As forensics and damage assessments continue, the Snowflake breach could catalyze wider scrutiny and potential regulation around cloud data supply chain integrity and security responsibilities shared between platforms and their customers.
Cybersecurity vendor experts had these additional comments:
- "Recent findings from Snowflake and Live Nation's SEC filing suggest compromised user accounts on Snowflake's service, not a breach of its databases. This isn't a supply chain hack but a reminder: if users can access your SaaS with just a password, so can attackers," said Toby Lewis, Global Head of Threat Analysis at Darktrace. "In this case, it appears that the security of cloud-hosted data is only as strong as the users' passwords. Credential phishing, keyloggers, and weak passwords make accounts vulnerable. Cloud providers should encourage better security practices, such as mandatory MFA, even without explicit requirements on them to do so under the shared responsibility model. In essence, it becomes a differentiator when weighing up different cloud providers—pick the one that has secure-by-default practices to enhance overall security."
- "Mandatory Multi-Factor Authentication and other secure-by-default practices may not be included by cloud providers as part of the shared responsibility model in an effort to offer more flexibility and tailored solutions for customers. Each organization has unique security requirements and preferences, and uniform security measures could limit the flexibility and customization that customers seek from cloud services. Additionally, some customers may already have robust security protocols in place or may prefer to implement their own security measures, which are tailored to their specific needs," said Patrick Tiquet, Vice President, Security & Architecture, at Keeper Security. "However, there are potential risks to relying on customer-driven security measures, as highlighted by this recent attack involving Snowflake. Threat actors are constantly evolving their attacks to exploit any weaknesses, and organizations with weak or absent authentication mechanisms are prime targets for hackers to gain unauthorized access. As cloud adoption continues to rise, and more organizations transition their operations to the cloud, it's imperative for both cloud providers and customers to prioritize security and implement robust measures to protect against cyber threats."
- "MFA by default may not work for everyone. It may not work with some configurations, operating systems, or other environmental reasons, including scenarios where the authentication process does not involve a human," said Jason Soroko, Senior Vice President of Product at Sectigo. "MFA as a user experience is far from perfect. A better solution is to move towards passwordless authentication wherever possible. Attackers will always go after the weakest link, however, it's unclear if lack of MFA by default is entirely to blame here."
