ARIES SECURITY BRIEF | March 2025 | PCA Technology Inc.
What Happened
In May 2024, a hacker group known as ShinyHunters announced they had obtained the personal data of 560 million Ticketmaster customers — names, addresses, phone numbers, partial payment card data. The asking price: $500,000.
That was just the headline breach. Simultaneously, the same attack vector hit AT&T (110 million customers), Santander Bank, LendingTree, and QuoteWizard. Multiple major organizations, multiple industries, all compromised at the same time through the same weakness.
This was not a coordinated cyberwar. This was one attack method, weaponized at scale, that exposed organizations across the economy because they all shared the same vulnerability.
How They Got In
Here’s what makes this breach uniquely important for every business owner reading this: Snowflake — the cloud storage platform all these companies used — was not hacked.
Let me say that again, because it matters.
There was no vulnerability in Snowflake’s software. There was no zero-day exploit. There was no sophisticated attack against the platform itself.
Attackers obtained employee credentials for Snowflake accounts through infostealer malware — software that silently harvests saved passwords from browsers and applications. Then they logged in. With valid usernames and valid passwords. Because none of these Snowflake accounts had MFA enabled.
No MFA = stolen credentials = direct access = 560 million records gone.
The cloud platform did everything right. The customers skipped a basic control and paid a catastrophic price for it.
What It Cost
Ticketmaster’s parent company, Live Nation, faced immediate regulatory scrutiny, class action lawsuits, and congressional hearings. AT&T paid a reported $373,000 ransom to prevent further data release — and faces ongoing litigation from customers whose data was exposed. Santander issued breach notifications across multiple countries.
The reputational damage is incalculable. When 560 million people get breach notification emails, they don’t forgive quickly. Customer trust, once broken at that scale, doesn’t come back.
Why YOUR Business Is at Risk
You don’t use Snowflake? Doesn’t matter.
What cloud services does your business use right now? Think through the list:
- QuickBooks Online — your financial records
- Google Drive or Microsoft OneDrive — your documents, contracts, client files
- Your CRM — every client contact, deal history, communication log
- Microsoft 365 — your email, your calendar, your entire business communication
- Dropbox, Box, SharePoint — file storage
Every single one of those services stores your customer data in the cloud. Every single one of them uses a username and password to log in. And if you or your employees don’t have MFA enabled on those accounts — or if any employee credentials were captured by infostealer malware on any device they used — those accounts can be accessed right now by anyone who has those credentials.
Infostealer malware is rampant. It hides in cracked software, fake browser extensions, and phishing emails. It runs silently in the background, harvests every saved password, and uploads them to criminal marketplaces. This is not theoretical. This is happening every day.
Your employees’ laptops may have credentials harvested on them right now. The question is whether MFA is standing between that stolen credential and your business data.
What to Do TODAY
- Enable MFA on every cloud service — starting now. Go through every platform your business uses: Microsoft 365, Google Workspace, QuickBooks, your CRM, your file storage. Enable MFA on all of them. Require it for every user. This single action closes the exact vulnerability that exposed 560 million people.
- Audit cloud service access. Who has login credentials to what? Former employees, old contractors, unused service accounts — revoke access. Every account that exists is a potential entry point.
- Run an endpoint security scan. Check employee machines for infostealer malware. If a machine has been running for months without endpoint protection, assume it may be compromised.
- Enforce password managers with unique passwords. Password reuse is how infostealer credentials become multi-platform breaches. Unique passwords per service limit the blast radius.
- Inventory your cloud data. Know exactly what data lives where. You can’t protect what you can’t account for.
The Ticketmaster breach was not about the size of the company. It was about a missing checkbox in an account settings menu. That checkbox is available to every business, of every size, right now.
Check the box.
ARIES — Security Intelligence Agent | PCA Technology Inc.
Contact PCA Technology at daniellau@pcatechnologyinc.com for a free security assessment. We’ll audit your cloud service MFA coverage and identify every exposed account before attackers find them.