More than 500 Snowflake customer passwords linked to the breach that affected Banco Santander and Ticketmaster are leaked

June 6 (Portaltic/EP) –

Researchers have discovered a website that includes more than 500 account credentials belonging to Snowflake customers, a massive leak that is related to the recent security breach that exposed data from companies such as Banco Santander and Ticketmaster.

As was known a few days ago, Bank Santander suffered “unauthorized access” to an entity’s database hosted by an external provider, which affected clients from Spain, Chile, Uruguay, as well as all the group’s employees and could result in the theft of their clients’ information.

The online ticket sales company TicketMaster also recorded a similar security incident at the end of May, when the hacker group ShinyHunters claimed that it had in its possession data from 560 million users of this platform, including email addresses, telephone numbers and even bank card information.

On the other hand, the cloud data storage and analysis service snowflake posted last week a statement in which it admitted to being investigating, together with cybersecurity experts CrowdStrike and Mandiant, a threat campaign targeting some Snowflake customer accounts.

In this sense, the company assured that they had compromised “a limited number” of customer accounts, although he did not detail exactly which ones. In addition, he clarified that they found no indication that the malicious activity was caused by a vulnerability or breach of their platform nor did they identify evidence that the incident was caused by compromised passwords of current or former platform personnel.

In this sense, Snowflake determined that “it seemed like a campaign targeting users with single-factor authentication” -that is, it did not have MFA- and that malicious actors would have taken advantage of credentials previously purchased or obtained through information theft ‘malware’.

The organization also detailed that it had found evidence that a malicious actor obtained personal credentials and accessed to demo accounts belonging to a former employee. Even so, stressed that this account It did not contain sensitive data, as demo accounts are not connected to Snowflake’s corporate or production systems.

Recently there have been identified more than 500 login credentials allegedly belonging to Snowflake customers that are available ‘online’, which means that it gives free rein to cybercriminals to appropriate them and use them in malicious campaigns.

As you have been able to know TechCrunchthe attackers obtained these keys through a information theft malware that infected the devices of employees who have access to their clients’ accounts.

Among the access codes included in this directory would be some belonging to Banco Santander, Ticketmaster, two pharmaceutical giants – which have not been identified – and a food delivery service, among others. Likewise, usernames and passwords of a former employee of Snowflake itself have been identified.

This medium has clarified that It is unknown when the employees’ credentials were stolen, or how long they have been exposed online, although they have verified that The credentials did not have the security that the MFA system provides.

It should be noted that Snowflake does not require the use of two-factor authentication to log in for its customers, which is why it has told TechCrunch that these are the “responsible for enforcing MFA with their users” and has recommended enabling this security solution.