Overview of the Snowflake Breach: Threat Actor Offers Data of Cloud Company’s Customers

Another Breach Post for Truist After the Company’s Latest Announcement – June 24, 2024

In a hacker forum monitored by SOCRadar, a threat actor is now claiming to sell the entire databases from the Truist breach, which was initially thought to be related to the Snowflake incident but was later clarified as unrelated.

The threat actor is offering the data for a significantly reduced price of $75,000, down from the alleged current market value of $1 million. They stated they are open to negotiation and provided samples to prove authenticity.

The compromised data allegedly includes employee ID, display name, principal name, email, address, job title, and location. Customer data in the breach reportedly contains account numbers, client names, loan amounts, loan balances, marketing codes, ACH start dates, birthdates, advance dates, and various other random data forms.

Despite the breach not being connected to Snowflake, it remains significant to monitor this situation. As noted in a previous update, Truist Bank continues its investigation into the incident, which dates back to October 2023. The firm has notified clients and reported finding no indication of fraud arising from the breach. However, given the sensitive information potentially exposed in this new leak, the risk of fraud remains heightened.

1 Million Ticketmaster Users Exposed, Jollibee and TEG Also Breached – June 20, 2024

In an alarming post on a hacker forum, on June 20, the Sp1d3r threat actor leaked the information of 1 million Ticketmaster users for free as a sample.

The threat actor noted that the company did not respond to their attempts to sell the data, concluding that Ticketmaster does not care about the privacy of the 680 million users mentioned to be affected by the breach.

The leaked data includes personal information such as names, birth dates, emails, addresses, IP addresses, and financial information such as credit card type, last four digits, and expiration dates.

On the same day, the threat actor also posted about data breaches involving Jollibee, a Filipino fast food restaurant chain, and TEG, an Australian ticket vendor.

The Jollibee breach allegedly includes 32 million customer records with names, addresses, phone numbers, email addresses, and hashed passwords. Additionally, it involves 650 million rows of data covering food delivery details, sales orders, transactions, customer information, and service-related data. The data is being sold for $40,000.

For TEG, the breached data supposedly contains information on 30 million users, including names, genders, birth dates, businesses, usernames, and hashed passwords, among other details.

While it is unclear if the Jollibee or TEG data breaches are related to Snowflake, the pattern of Sp1d3r’s activity suggests a significant threat. Given their involvement in several notable breaches related to Snowflake, it is advisable to follow these and future breach posts by the threat actor.

Additionally, the threat actor’s allegations appear credible, as Advance Auto Parts (AAP) recently confirmed a breach claimed by Sp1d3r. The company acknowledged that a third-party cloud database was compromised, aligning with the threat actor’s assertions of it being a Snowflake breach.

LAUSD.net, Edgenuity and K12360.com Breached – June 18

The threat actor’s post indicates that 4m+ students’ data is breached, and if LASchools or Edgenuity doesn’t pay the requested amount in 7 days, student details will be leaked.

Advance Auto Parts Confirms Breach – June 14, 2024

Advance Auto Parts has confirmed the data breach previously claimed by the Sp1d3r threat actor. In a Form 8-K filing with the SEC, the company stated that the data was stolen from a third-party cloud database environment, adding credibility to the speculation that Snowflake was involved.

Advance Auto Parts disclosed $3 million in expenses resulting from the breach, which compromised personal information, including Social Security numbers (SSNs) and other government-issued IDs, of current and former employees as well as job applicants.

This confirmation further validates the connection to the recent Snowflake breach, underscoring the severity and widespread impact of the incident.

Update on Truist Bank Data Breach – June 13, 2024

There has been a confirmation following the Truist Bank data breach we mentioned on June 11, 2024. The company revealed that its systems were breached in an October 2023 cyberattack, which was swiftly contained.

However, Truist Bank clarified that this breach was not connected to Snowflake, and they have not found any evidence pointing to a Snowflake-related incident within their systems.

Based on new information from the ongoing investigation of the October 2023 incident, Truist Bank has notified additional clients. They also report finding no indication of fraud arising from this breach.

Since the Sp1d3r threat actor’s breach of Truist Bank was confirmed to be unrelated to a Snowflake incident, this clarification calls into question any purported links to Snowflake in other previous or future breach claims by the threat actor.

Pure Storage Confirms Snowflake Breach – June 11, 2024

Pure Storage reported a security incident involving unauthorized access to a Snowflake data analytics workspace.

Pure Storage is a cloud storage systems provider; its platform serves many well-known brands, including Comcast, Equinix, Meta, Ford, JP Morgan, Johnson Controls, and NASA.

This workspace contained telemetry data for customer support, including company names, LDAP usernames, email addresses, and Purity software release versions.

According to the company’s security bulletin, although customer names, usernames, and email addresses were exposed in the Pure Storage breach, credentials for array access or other customer-stored data were not affected.

Attribution to ‘UNC5537’ and More Details – June 10, 2024

Google Mandiant is tracking the activity targeting Snowflake customers as UNC5537, attributing it to be a financially motivated threat actor.

Researchers described UNC5537 as a threat actor who systematically compromises Snowflake customer instances, using stolen credentials from stealer logs for access. They advertise the exfiltrated victim data for sale on hacker forums and attempt to extort the victims.

According to reports, there is no evidence that unauthorized access to Snowflake customer accounts resulted from a breach of Snowflake’s enterprise environment. Instead, every incident responded to in this campaign was traced back to compromised customer credentials.

Advance Auto Parts Data Breach Post – June 5, 2024

The Sp1d3r threat actor, previously mentioned in other breach posts, claims to be selling 3TB of data from Advance Auto Parts on a hacking forum. This breach is allegedly linked to the Snowflake incident, with data purportedly stolen after breaching the company’s Snowflake account.

The threat actor lists the stolen data as including 380 million customer profiles, 140 million customer order records, 44 million loyalty card numbers with related customer details, auto parts information, sales history, and employment candidate details such as Social Security numbers, driver’s license numbers, and demographic details. It also includes transaction details, and critically, information on 358,000 employees.

In actuality, Advance Auto Parts currently employs around 68,000 people. If the breach is authentic, it could mean that the remaining data belongs to former employees.

The threat actor is offering this data for $1.5 million. The only partial confirmation of this breach is that the leaked data contains numerous references to Snowflake, supporting the claim that it is linked to the recent Snowflake breach.

Another Breach Post, Possibly Related to the Snowflake Incident: QuoteWizard & LendingTree – June 1, 2024

On June 1, a claim posted on BreachForums caught the attention of SOCRadar researchers. The post, made by a user with a nickname resembling the “SpidermanData” threat actor from the Exploit forum, was identified as belonging to a threat actor named Sp1d3r. This threat actor claimed to have obtained a significant amount of data from two leading companies in the insurance and financial services sectors, QuoteWizard and LendingTree.

The data, which allegedly reached 2TB when compressed, was said to include highly sensitive personal information of 190 million individuals and 3 billion tracking pixel data records.

Snowflake’s Disclosure About the Breach – May 31, 2024

On May 31, Snowflake began updating a thread about an investigation into a targeted threat campaign against some customer accounts. In their latest statement, Snowflake, along with third-party cybersecurity experts, reported no evidence of vulnerabilities, misconfigurations, or breaches within Snowflake’s platform. They also confirmed that no current or former employee credentials were compromised.

The thread was later updated, on June 2, to state that there was evidence that a threat actor obtained personal credentials and accessed demo accounts belonging to a former Snowflake employee.

Live Nation Confirms the Ticketmaster Data Breach – May 31, 2024

On May 31, Live Nation, Ticketmaster’s parent company, confirmed the data breach. In their SEC filing, Live Nation stated, “On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened. On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.”

ShinyHunters Mirrors the Santander Breach Post – May 30, 2024

On May 30, the threat actor ShinyHunters reposted the previously reported Santander breach on BreachForums, mirroring an earlier post originally published by the threat actor known as “whitewarlock”. ShinyHunters, known for acting as a data broker for various threat actors, brought significant attention to this incident.

ShinyHunters Mirrors the Ticketmaster Breach Post – May 28, 2024

On May 28, ShinyHunters, a notorious hacking group, shared a Ticketmaster post mirrored from Exploit on BreachForums.

This was significant because it coincided with the reactivation of BreachForums’ clear net domain, which had been seized by law enforcement in mid-May 2024. ShinyHunters announced via a Telegram post that they had regained control of the domain, signaling a major event in the cybercriminal community.

Ticketmaster Data Breach Post on Hacker Forum – May 27, 2024

On May 27, a threat actor using the alias SpidermanData registered on the Exploit hacking forum. On the same day, they claimed to have access to Ticketmaster’s systems and claimed possession of 560 million user and financial records. SpidermanData demanded $500,000 for the data.

The extensive information offered included full names, addresses, email addresses, phone numbers, order details, ticket sale information, event details, and even credit card information, including expiration dates.

Santander Data Breach Post on Hacker Forum – May 24, 2024

On May 24, a threat actor named “whitewarlock,” who registered on the same day, claimed on the Russian-speaking hacker forum Exploit that they had hacked Santander Group.

The attacker stated that they had obtained the bank account details of 30 million people, 6 million account numbers and balances, 28 million credit card numbers, and HR information for staff. The hacker demanded 30 BTC (approximately $2 million) for the data.