Massive Ticketmaster, Santander data breaches linked to Snowflake cloud storage

A data breach potentially affecting as many as 560 million Ticketmaster accounts and a confirmed one for Santander Bank may have stemmed from attacks on the cloud storage accounts with a company called Snowflake. According to an investigation from cybersecurity firm Hudson Rock, a bad actor gained access to Ticketmaster and Santander by using the stolen credentials of a single Snowflake employee.

The hacker reportedly bypassed the authentication service Okta using these credentials and then generated session tokens to obtain a trove of information from Snowflake. Hudson Rock suggests that the hacker may have also gained access to hundreds of other Snowflake customers, including major brands like AT&T, HP, Instacart, DoorDash, NBCUniversal, and Mastercard.

The threat actor involved has been identified as a hacking group called ShinyHunters, which attempted to sell Ticketmaster’s data on the dark web for $500,000. ShinyHunters also claimed responsibility for the Santander breach and put information said to belong to over 30 million customers up for sale.

Snowflake has disputed Hudson Rock’s findings, stating that it observed increased threat activity from a subset of IP addresses and suspicious clients related to unauthorized access. While investigating potentially unauthorized access to certain customer accounts, Snowflake mentioned that a bad actor accessed a “demo account” belonging to a former employee, which did not contain sensitive information.

Even before Ticketmaster confirmed the breach, malware tracker vx-underground suggested that the leaked data is legitimate, dating back to the mid-2000s and including full names, emails, addresses, phone numbers, hashed credit card numbers, and more.

Santander confirmed that “certain information” of customers in Chile, Spain, and Uruguay had been accessed. Live Nation has also now confirmed the data breach. The Verge reached out to Ticketmaster and Santander for comment but did not immediately receive responses.