On May 31st, cybersecurity vendor Hudson Rock published a post alleging a customer data breach in Snowflake titled “Snowflake, Cloud Storage Giant, Suffers Massive Breach”.

In this research, we aim to shed light on one of the largest data breaches to date.‍…‍The story begins on May 26th, in a Telegram conversation with a threat actor claiming to have hacked two major companies, Ticketmaster and Santander Bank.‍…‍In the conversation with Hudson Rock, the threat actor reveals that there is much more to the story than these two breaches, and that additional major companies suffered a similar fate, allegedly including: Anheuser-Busch‍, State Farm‍, Mistubishi‍, Progressive‍, Neiman Marcus‍, Allstate‍, Advance Auto Parts.

Later that day, BBC reported: “Santander staff and ’30 million’ customers hacked”.

Shortly after, Snowflake denied the Hudson Rock claims in a post:

We are aware of recent reports related to a potential compromise of the Snowflake production environment… We have no evidence suggesting this activity was caused by any vulnerability, misconfiguration, or breach of Snowflake’s product... Snowflake does not believe that it was the source of any of the leaked customer credentials... We did find evidence that similar to impacted customer accounts, the threat actor obtained personal credentials to and accessed a demo account owned by a former Snowflake employee. It did not contain sensitive data. Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or MFA, unlike Snowflake’s corporate and production systems.

Was Snowflake indeed hacked?

Short answer: no.

Slightly longer answer: A single Snowflake employee’s ServiceNow account appears to have been hacked, and some Snowflake customers have had their Snowflake accounts hacked via stolen user credentials.

So, what really happened?

In the 24 hours that have passed since initially posting the extremely serious claims, Hudson Rock have proceeded to edit and eventually silently taken down their blog post. This came after direct, unambiguous denial of many of the claims via Snowflake.

Piecing together the evidence provided by Hudson Rock and Snowflake, I believe that the story is as follows:

1. Hacking group “ShinyHunters” executed a campaign to target Snowflake customers by purchasing user credentials on the black market.
2. ShinyHunters targetted credentials harvested via “Info Stealers”.
3. ShinyHunters found Info Stealers on the following PCs:
   a) A Snowflake Sales Engineer (with access to Snowflake’s ServiceNow and some demo Snowflake accounts with fake data).
   b) A user in Santander’s Snowflake account without MFA.
   c) A user in TicketMaster’s Snowflake account without MFA.
4. ShinyHunters leveraged the Santander & TicketMaster credentials to log into their Snowflake accounts and exfiltrate their sensitive data.
5. ShinyHunters leveraged the Snowflake Sales Engineer’s credentials to log into ServiceNow and exfiltrate non-sensitive ticketing data (which included references to customers that SE was working with such as Mitsubishi, Progressive, Advance Auto Parts).
6. ShinyHunters proceeded to blackmail Snowflake into paying them $20M which Snowflake duely rejected.
7. ShinyHunters proceeded to offer the sensitive Santander & Ticketmaster data on a cybercrime forum for $2M.
8. ShinyHunters told Hudson Rock they had access to sensitive data from many more Snowflake customers when in reality all they had was ticketing data from ServiceNow. Example of files that the hacker group provided as “proof”: PROGRESSIVE_BID_CHANGE_<timestamp>.csv, ALLSTATE_CALLS_<timestamp>.csv

Lessons Learned

1. Articles with sensational headlines should be taken with a grain of salt. Make sure to perform a diligent risk assessment based on real data and real evidence rather than conjecture.
2. Hackers don’t break in, they log in. Cybercriminals have become more sophisticated and have started monetizing identity via info stealer attacks. As a result, identity-based attacks have become significantly easier.
3. Defenders must adopt an “assume breach” mindset and address this with a defense-in-depth strategy. It is very likely that MFA could have prevented these attacks despite the leaked credentials.
4. Info stealer campaigns work. It is crucial to ensure that all identities with access to sensitive data are available ONLY on managed devices (that have proper security software configurations that block info stealers). Make sure to implement controls to prevent employee identities from leaking to unmanaged devices.

Let’s Talk

Have any comments or notes? Shoot me a message and let’s discuss. If you liked this article and you want to get notified on future research by Torch Security, sign up here.

‍