Snowflake data breach

The Snowflake data breach refers to a large-scale cybersecurity incident in 2024 involving unauthorized access to customer cloud environments hosted on Snowflake Inc., a cloud-based data warehousing platform.^{[1] [2]} The breach affected numerous high-profile clients and has been regarded as one of the most significant data security incidents of the decade.^[3]

Background

Snowflake Inc. provides a cloud data platform widely adopted by large enterprises for storing and analyzing data. In 2024, it became the focal point of a major cyberattack campaign that compromised sensitive data from more than 100 of its customers.^[4]

2024 breach

In mid-2024, at least 160 organizations were reportedly targeted through vulnerabilities in how their Snowflake environments were configured and accessed. Affected companies included AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health.^[4][5]

The breach resulted in the theft of a wide range of sensitive data, such as:

• Personally Identifiable Information (PII)^[4]
• Medical prescriber DEA numbers^[4]
• Digital event tickets^[4]
• Over 50 billion call records from AT&T^[4]

The stolen data was allegedly used for extortion, with hackers demanding ransoms from affected organizations in exchange for not leaking or selling the information.^[6]

Nature of the attack

Security investigations revealed that the attackers—members of a known hacking group referred to as UNC5537 or Scattered Spider accessed customer environments by exploiting stolen credentials obtained via infostealer malware.^[7] These credentials, which lacked multi-factor authentication (MFA) protection in many cases, allowed the attackers to log in to Snowflake customer instances directly using just a username and password.^[8]

A report by cybersecurity firm, Mandiant (a subsidiary of Google Cloud) outlined the method of extortion and scale of the incident, noting that over 160 customer environments may have been accessed.^[9][10]

Impact and government response

The breach had particularly serious implications for AT&T, whose call and text message metadata involving nearly all U.S. customers was compromised.^[1][4] The breach prompted an unprecedented request from the U.S. Department of Justice, which asked AT&T to delay public disclosure due to national security and public safety concerns.^[1][4] Reports later confirmed that AT&T paid a ransom of $370,000 in an attempt to have the stolen data deleted.^[11][12]

Arrests and attribution

In late 2024, law enforcement agencies in the United States and Canada identified and apprehended two core individuals allegedly responsible for the attack:

• Connor Riley Moucka, 25 (aliases: Waifu, Judische, Ellyel8), was arrested in Kitchener, Ontario, Canada on October 30, 2024.^[13] He faces multiple charges in Washington state, including conspiracy, computer fraud, extortion, and identity theft.^[13][14]
• John Erin Binns, 24 (aliases: IRDev, IntelSecrets), was arrested in Turkey in May 2024.^[15] He is currently detained pending possible extradition to the United States, where he also faces charges linked to the 2021 T-Mobile breach.^[16]

Court documents also reference a third unnamed individual, known only by the alias Reddington, who allegedly acted as an intermediary between the hackers and victim organizations.^[11]

Security implications

The breach drew attention to widespread security misconfigurations and insufficient enforcement of multi-factor authentication across cloud platforms.^[1] It also raised concerns over third-party risk and the need for tighter access controls and credential hygiene within cloud ecosystems.^[1]

See also

• List of data breaches
• T-Mobile data breach
• Scattered Spider
• ShinyHunters