On May 31, LiveNation, the parent company of Ticketmaster, filed a report with the US Security and Exchange Commission (SEC) acknowledging that its customer databases had been breached. On May 28, cybercriminal group ShinyHunters claimed to have stolen the personal data and order information of 560 million Ticketmaster customers and was demanding a ransom of $500,000 for the database.
Investigations by multiple parties now suggest that the Ticketmaster theft and other data breaches may be linked to the cloud-hosting platform Snowflake, which hosts the data of thousands of large companies worldwide, including LiveNation, Adobe, Canva, Mastercard, and Santander, a Spanish bank and financial services company.
Santander reported on May 31 that ShinyHunters also stole data belonging to 30 million of its customers in mid-May and was demanding $2 million in ransom.
ShinyHunters appears not to be the party responsible for stealing the information but is acting as an opportunistic seller of data linked to Snowflake appearing on the dark web. The day before ShinyHunters posted its ad for selling the Ticketmaster database, a newly registered account on the cybercrime forum Exploit posted the exact same ad.
Snowflake adamantly denied that its platform was the source of the data thefts, saying its investigation thus far has not uncovered any link to specific data breaches.
“If a threat actor obtains a customer’s credentials through some breach or the customer itself, then that malicious actor can access the customer’s data — as would be the case with any breach of credentials for any other product by any other provider,” Snowflake said in a blog.
Snowflake did acknowledge that it had observed in May an increase in attempted cyberattacks against its customer databases that use only single-factor authentication on its platform. Another post on a Snowflake community forum stated its investigation has found that “threat actors have leveraged credentials previously purchased or obtained through infostealing malware.
All of these reports suggest that there is an as-of-yet unidentified threat actor using stolen credentials to hack into and steal customer data from large corporations around the world.