close
close

Snowflake says it’s not to blame for the Ticketmaster hack

  • Ticketmaster said it became aware of the hack after discovering suspicious activity in a third-party cloud database
  • Some pointed the finger at Snowflake, which applauded preliminary findings from an investigation
  • Snowflake encouraged customers to strengthen their security protocols anyway

Cloud storage company Snowflake is taking a hard look in the mirror following a massive Ticketmaster hack that could compromise the data of more than half a billion customers.

Ticketmaster’s parent company, Live Nation, said in a regulatory filing last week that it first noticed “unauthorized activity in a third-party cloud database environment containing company data” on May 20. A week later, he said hackers were offering alleged Tickermaster data for sale on the dark web.

His vague comments about a third-party cloud provider led some to point the finger at cloud storage and database company Snowflake. But Snowflake rejected that claim.

Brad Jones, Snowflake’s CISO, said in a blog post that while his investigation (conducted with Mandiant and CrowdStrike) “found evidence that a threat actor obtained personal credentials and accessed demo accounts belonging to a former Snowflake employee,” that demo account does not contain any sensitive data. Additionally, he emphasized that the company’s demo accounts “are not connected to Snowflake’s production or corporate systems.”

Its preliminary investigation found evidence of a targeted threat campaign targeting “users with single-factor authentication,” and the company warned “threat actors leveraged credentials previously purchased or obtained through identity-stealing malware.”

But Snowflake has yet to find evidence that this activity was caused by compromised employee credentials or a “vulnerability, misconfiguration or breach of the Snowflake platform,” Jones said.

Jones urged customers to enforce multi-factor authentication for all accounts and configure their network policy rules to allow only authorized users.

The timing of the news isn’t great for Snowflake, which is kicking off its Data Cloud Summit in San Francisco on Monday. We’ll be tuning into the keynote and talking to some executives around the event, so stay tuned for more updates on this and other Snowflake developments.