A recent breach involving Santander and Ticketmaster has been linked to hacks on Snowflake accounts. A threat actor claims to have accessed data by hacking into an employee’s account at the cloud storage company Snowflake. However, Snowflake denies these claims, attributing recent breaches to poorly secured customer accounts.

Snowflake’s cloud data platform is utilized by 9,437 customers, including major companies such as Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, Yamaha, and more.

According to cybersecurity firm Hudson Rock, the threat actor also claims to have gained access to data from other prominent companies using Snowflake’s services, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts. The actor allegedly bypassed Okta’s secure authentication process by logging into a Snowflake employee’s ServiceNow account with stolen credentials, enabling them to generate session tokens to extract data from Snowflake customers.

The threat actor reportedly sought to extort $20 million from Snowflake to return the stolen data, but the company did not respond to their demands. Hudson Rock revealed that a Snowflake employee was infected by a Lumma-type Infostealer in October, which compromised corporate credentials to Snowflake infrastructure.

When contacted by BleepingComputer, Snowflake declined to comment further on the breach. Similarly, representatives from Santander and Ticketmaster were unavailable for immediate comment. It was confirmed that both Santander and Ticketmaster utilize Snowflake’s cloud storage services.

If you have any information on this incident or other Snowflake data breaches, you can reach out to us confidentially via Signal at 646-961-3731 or at tips@bleepingcomputer.com.