Snowflake data breach

The Snowflake data breach refers to a large-scale cybersecurity incident in 2024 involving unauthorized access to customer cloud environments hosted on Snowflake Inc., a cloud-based data warehousing platform. ^{[1] [2]} The breach affected numerous high-profile clients and has been regarded as one of the most significant data security incidents of the decade. ^[3]

Background

Snowflake Inc. provides a cloud data platform widely adopted by large enterprises for storing and analyzing data. In 2024, it became the focal point of a major cyberattack campaign that compromised sensitive data from more than 100 of its customers. ^[4]

2024 breach

In mid-2024, at least 160 organizations were reportedly targeted through vulnerabilities in how their Snowflake environments were configured and accessed. Affected companies included AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. ^{[4] [5]}

The breach resulted in the theft of a wide range of sensitive data, such as:

• Personally Identifiable Information (PII) ^[4]
• Medical prescriber DEA numbers ^[4]
• Digital event tickets ^[4]
• Over 50 billion call records from AT&T ^[4]

The stolen data was allegedly used for extortion, with hackers demanding ransoms from affected organizations in exchange for not leaking or selling the information. ^[6]

Nature of the attack

Security investigations revealed that the attackers—members of a known hacking group referred to as UNC5537 or Scattered Spider accessed customer environments by exploiting stolen credentials obtained via infostealer malware. ^[7] These credentials, which lacked multi-factor authentication (MFA) protection in many cases, allowed the attackers to log in to Snowflake customer instances directly using just a username and password. ^[8]

A report by cybersecurity firm, Mandiant (a subsidiary of Google Cloud) outlined the method of extortion and scale of the incident, noting that over 160 customer environments may have been accessed. ^{[9] [10]}

Impact and government response

The breach had particularly serious implications for AT&T, whose call and text message metadata involving nearly all U.S. customers was compromised. ^{[1] [4]} The breach prompted an unprecedented request from the U.S. Department of Justice, which asked AT&T to delay public disclosure due to national security and public safety concerns. ^{[1] [4]} Reports later confirmed that AT&T paid a ransom of $370,000 in an attempt to have the stolen data deleted. ^{[11] [12]}

Arrests and attribution

In late 2024, law enforcement agencies in the United States and Canada identified and apprehended two core individuals allegedly responsible for the attack:

• Connor Riley Moucka, 25 (aliases: Waifu, Judische, Ellyel8), was arrested in Kitchener, Ontario, Canada on October 30, 2024. ^[13] He faces multiple charges in Washington state, including conspiracy, computer fraud, extortion, and identity theft. ^{[13] [14]}
• John Erin Binns, 24 (aliases: IRDev, IntelSecrets), was arrested in Turkey in May 2024. ^[15] He is currently detained pending possible extradition to the United States, where he also faces charges linked to the 2021 T-Mobile breach. ^[16]

Court documents also reference a third unnamed individual, known only by the alias Reddington, who allegedly acted as an intermediary between the hackers and victim organizations. ^[11]

Security implications

The breach drew attention to widespread security misconfigurations and insufficient enforcement of multi-factor authentication across cloud platforms. ^[1] It also raised concerns over third-party risk and the need for tighter access controls and credential hygiene within cloud ecosystems. ^[1]

See also

• List of data breaches
• T-Mobile data breach
• Scattered Spider
• ShinyHunters

References

1. Matt Egan and Sean Lyngaas, "Nearly all AT&T cell customers' call and text records exposed in a massive breach". edition.cnn.com. 12 June 2024. Retrieved 22 May 2025.
2. "Ticketmaster confirms hack which could affect 560m". bbc.com. 2 June 2024. Retrieved 22 May 2025.
3. Jordan Smith, "The Cybersecurity Stories that Defined 2024 in the Channel". channelinsider.com. 17 December 2024. Retrieved 22 May 2025.
4. Kim Zetter, "The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever". wired.com. 17 June 2024. Retrieved 22 May 2025.
5. Sergiu Gatlan, "Advance Auto Parts stolen data for sale after Snowflake attack". bleepingcomputer.com. 5 June 2024. Retrieved 22 May 2025.
6. Mathew J. Schwartz, "Victims of Snowflake Data Breach Receive Ransom Demands". bankinfosecurity.com. 20 June 2024. Retrieved 22 May 2025.
7. Jessica Lyons, "Snowflake customers not using MFA are not unique – over 165 of them have been compromised". theregister.com. 11 June 2024. Retrieved 22 May 2025.
8. Ravie Lakshmanan, "Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign". thehackernews.com. 11 June 2024. Retrieved 22 May 2025.
9. "UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion". cloud.google.com. 10 June 2024. Retrieved 22 May 2025.
10. "Unpacking the 2024 Snowflake Data Breach". cloudsecurityalliance.org. 7 May 2025. Retrieved 22 May 2025.
11. Kim Zetter, "AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records". wired.com. 14 July 2024. Retrieved 22 May 2025.
12. Wes Davis, "AT&T reportedly gave $370,000 to a hacker to delete its stolen customer data". theverge.com. Retrieved 22 May 2025.
13. Jonathan Greig, "Alleged Snowflake hacker consents to extradition from Canada after US charges". therecord.media. 25 March 2025. Retrieved 22 May 2025.
14. "Charges Unsealed Against Alleged Hackers of Snowflake Customers". bloomberg.com. 24 November 2024. Retrieved 22 May 2025.
15. "Canadian Man Arrested in Snowflake Data Extortions – Krebs on Security". wancore.fr. Retrieved 22 May 2025.
16. "Canadian Man Arrested in Snowflake Data Extortions". krebsonsecurity.com. 5 November 2024. Retrieved 22 May 2025.