Previous HN comments indicated this could just be demo snowflake accounts, which were all compromised from a single individuals account at snowflake. But the announcements don’t seem consistent with this. Do we think propective customers really shared 100s of millions of real customer records for demo accounts? Or more likely the sales person was granted access to production systems by the prospective clients, so their credential without MFA could be used to access many customers real data? I struggle to see how snowflake can blame the customer here; secure by default is something a customer should reasonably expect for their money.
I think if it’s one customer you could maybe blame the customer and get away with it. If it’s multiple at once, all those customers very obviously are just pointers back.
My guess is that it went down like this.
Ticketmaster gave access to their production tenant to sales engineer that was probably attached to their account rep. He got an account with a set password, was not onboarded into their Okta/Azure AD/etc and didn't have MFA enabled for his account or was restricted to a range of IPs for access.
He got p0wned and the hackers got in using his creds. Of course he likely had accountadmin or something highly privileged since he was likely routinely asked to look at random things at Ticketmaster... that too didn't help.
