560 million Ticketmaster customers may have their details released through a cyber breach, with a massive 1.3 terabytes of customer data - including names, addresses, credit card numbers, phone numbers, and payment details.
Hacking group ShinyHunters is claiming responsibility, and what's more, is asking Ticketmaster to pay a ransom of half a million US dollars ($AUD 750,000) or the data will be made public.
While details are still coming in, the leak appears to have occurred through a compromised Snowflake data cloud credential. This led to Israeli research firm Hudson Rock asserting Snowflake itself had been compromised, and that Snowflake customers must be wary. Snowflake adamantly denies it has suffered any breach. Hudson Rock has since removed its report, with no trace now found anywhere on its website - but not before news outlets and other analysts ran with it, incorrectly asserting Snowflake itself had been breached. Current thinking is that a Ticketmaster developer's credentials were exposed through a different product, and, alas, without MFA protection on their Snowflake account.
|
|
Snowflake has stated in no uncertain terms:
- there is no evidence in any way that the Ticketmaster breach was caused by any vulnerability, misconfiguration, or breach of Snowflake's product
- Snowflake does not believe it was the source of leaked credentials
- there is no facility that allows people to exfiltrate credentials from Snowflake in any way, such as an API or other means
- Snowflake is a public-facing cloud product and any person or company can sign up at any time. If a threat actor obtains a customer's credentials through some breach or the customer itself, then that malicious actor can access the customer's data - as would be the case with any breach of credentials for any other product by any other provider
Snowflake continues to remind customers of the value of multi-factor authentication (MFA), something that iTWire also regularly advocates all readers employ for all their accounts across all their products and services.
No matter which organisations were involved, it's a timely reminder to Snowflake administrators to review their account security.
The Australian Cyber Security Centre (ACSC) issued an alert on Saturday 1 June 2024 advocating Snowflake customers to ensure they utilise MFA, disable unused accounts, and review user activity.
Mark Jones, a Senior Partner at Tesserent, a Thales Australia cybersecurity company also stressed “it’s important for organisations to protect sensitive information, safeguard intellectual property, maintain supply chain integrity, ensure compliance with regulations, and mitigate operational risks. Organisations should not only focus on internal controls, but also put a strong focus on managing their third-party suppliers and understand and assess the security risks they may pose."
It's important to note that while Snowflake offers MFA and has a tight integration with Duo, MFA is not automatically enabled on a Snowflake account, and nor can the administrator force it to be on for any specific user. Instead, users must self-enrol into MFA following the instructions here. Administrators can disable MFA if a user loses a device, but the responsibility to turn it on in the first place lies with the user. Although this is not an ideal situation - preferably, an administrator could make MFA mandatory for all their users - it's something Snowflake users can - and should - activate immediately.
The investigation into Ticketmaster's breach is ongoing.
Image by Gerd Altmann from Pixabay
