Cybersecurity Alert: Major Data Breach Exposes Millions of Records in Third-Party Vendor Compromise
A significant data breach has come to light after a third-party vendor, Snowflake, a cloud-based data warehousing company, fell victim to a targeted cyberattack. The incident, first detected in late May 2024, has exposed sensitive information belonging to multiple high-profile organizations, including Ticketmaster, Santander Bank, and Advance Auto Parts.
Attackers exploited stolen credentials to gain unauthorized access to Snowflake customer accounts, leveraging infostealer malware previously deployed on contractor systems. While Snowflake has stated that its platform itself was not breached, the compromise of customer credentials enabled threat actors to exfiltrate vast datasets. Ticketmaster confirmed that 560 million customer records, including names, payment details, and contact information, were stolen. Santander Bank reported that data from 30 million customers and employees primarily in Chile, Spain, and Uruguay was compromised, while Advance Auto Parts disclosed the theft of 3 terabytes of data, including employee and customer information.
Cybersecurity firm Mandiant, investigating the breach, linked the attack to a financially motivated threat group known as UNC5537, which has been active since at least 2020. The group is suspected of selling the stolen data on underground forums, raising concerns about potential follow-on attacks, including phishing and fraud.
The incident underscores the growing risks of supply chain vulnerabilities, particularly when third-party vendors lack robust authentication measures. While Snowflake has urged customers to enforce multi-factor authentication (MFA) and review access logs, the breach highlights the cascading impact of credential-based attacks in cloud environments. Affected organizations are now facing regulatory scrutiny, potential legal action, and reputational damage as they work to mitigate fallout.
Ticketmaster TPRM report: https://www.rankiteo.com/company/ticketmaster
Snowflake TPRM report: https://www.rankiteo.com/company/snowflake-computing
Santander Bank TPRM report: https://www.rankiteo.com/company/banco-santander
"id": "bansnotic1771979968",
"linkid": "banco-santander, snowflake-computing, ticketmaster",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '560 million',
'industry': 'Ticketing',
'name': 'Ticketmaster',
'type': 'Entertainment'},
{'customers_affected': '30 million',
'industry': 'Banking',
'location': 'Chile, Spain, Uruguay',
'name': 'Santander Bank',
'type': 'Financial Services'},
{'industry': 'Automotive Parts',
'name': 'Advance Auto Parts',
'type': 'Retail'},
{'industry': 'Cloud Data Warehousing',
'name': 'Snowflake',
'type': 'Technology'}],
'attack_vector': 'Stolen credentials, Infostealer malware',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '590+ million (combined)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Customer records',
'Employee information',
'Payment details',
'Contact information']},
'date_detected': '2024-05',
'description': 'A significant data breach occurred after a third-party '
'vendor, Snowflake, fell victim to a targeted cyberattack. '
'Attackers exploited stolen credentials to gain unauthorized '
'access to Snowflake customer accounts, leading to the '
'exposure of sensitive information belonging to multiple '
'high-profile organizations, including Ticketmaster, Santander '
'Bank, and Advance Auto Parts. The breach was linked to the '
'threat group UNC5537, which is suspected of selling the '
'stolen data on underground forums.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Sensitive customer and employee information, '
'payment details, contact information',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential',
'payment_information_risk': 'High',
'systems_affected': 'Snowflake customer accounts'},
'initial_access_broker': {'data_sold_on_dark_web': 'Suspected',
'entry_point': 'Stolen credentials via infostealer '
'malware',
'high_value_targets': 'Snowflake customer accounts'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Growing risks of supply chain vulnerabilities, importance '
'of robust authentication measures for third-party vendors',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Enforce MFA, review access '
'logs, enhance third-party '
'vendor security',
'root_causes': 'Compromise of third-party vendor '
'(Snowflake), lack of MFA, stolen '
'credentials via infostealer '
'malware'},
'recommendations': 'Enforce multi-factor authentication (MFA), review access '
'logs, enhance monitoring of third-party vendor access',
'references': [{'source': 'Cybersecurity Alert'},
{'source': 'Mandiant Investigation'}],
'regulatory_compliance': {'legal_actions': 'Potential'},
'response': {'remediation_measures': 'Enforce multi-factor authentication '
'(MFA), Review access logs',
'third_party_assistance': 'Mandiant'},
'threat_actor': 'UNC5537',
'title': 'Major Data Breach Exposes Millions of Records in Third-Party Vendor '
'Compromise',
'type': 'Data Breach',
'vulnerability_exploited': 'Lack of multi-factor authentication (MFA), '
'Third-party vendor compromise'}