The recent breach against Ticketmaster was highly-likely the result of a supply chain attack against a Managed Service Provider – The same provider which is also suspected to be the source of the attack against banking giant Santander.

I wrote about the Ticketmaster breach on Friday – at the time , I said that Ticketmaster had not officially admitted the breach – later that evening however, the parent company (LiveNation) filed a report with the United States Securities & Exchange commission where they announced that they had identified unauthorised activity on their systems.

On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened. On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

Santander breach

The threat actors posting the data breach (ShinyHunters) have also offered for sale the data pertaining to 30 million Santander customers along with the details of all current Santander staff, and some past staff.

The affected customers are from Chilie, Spain, and Uruguay – the staff are global.

ShinyHunters are offering the data relating to:

  • 30 million bank account details
  • 6 million account numbers and balances
  • 28 million credit card numbers
  • HR information for Santander employees

Speculation is that the attacks were made possible by compromising a cloud services provider which both companies, along with many other high-profile clients use.

Snowflake

The Managed Services Provider (MSP) is called snowflake, who provide various cloud-based data solutions for their customers.

Snowflake, however are rebuking claims that the threat actors compromised the account details of an employee, and then used those credentials to issue session tokens allowing them to access customer data.

Customers of snowflake include Adobe, Mastercard, Cisco, AT&T, Comcast, Sainsbury’s DoorDash, EA games, Pfizer, Virgin Media, KFC, John Lewis, and many more.

Israeli cyber security company – Hudson Rock were the 1st company to suspect the TicketMaster & Santander leaks were as a result of Snowflake being hacked. A statement on their website (now removed) said that they had been in touch with the threat actors who stated that they had bypassed Okta’s secure authentication process by signing into a Snowflake employee’s ServiceNow account using stolen credentials. That allowed them to generate session tokens to exfiltrate data belonging to Snowflake customers.

If Snowflake were the source of the breaches, I would suspect that others will follow suit shortly.

Related Articles

That BSOD might not have been Microsoft’s fault
General blogs

That BSOD might not have been Microsoft’s fault

Mark
NCA 1 : LockBit 0
General blogs

NCA 1 : LockBit 0

Mark
LockBit – Latest update – Identities revealed.
General blogs

LockBit – Latest update – Identities revealed.

Mark
McFlurry bandit targets McDonalds – twice!
General blogs

McFlurry bandit targets McDonalds – twice!

Mark
Women who shaped the modern world of IT
General blogs

Women who shaped the modern world of IT

Mark