.png)
Snowflake Customer Breach Campaign 2024
Breach Summary
The Snowflake customer breach campaign of 2024 was the most consequential cloud data warehouse attack in history. A threat actor group used credentials stolen by information-stealing malware to access dozens of major companies' Snowflake environments — including AT&T, Ticketmaster, Advance Auto Parts, and Santander Bank — resulting in the theft of data affecting hundreds of millions of individuals across multiple high-profile incidents.
What Happened
The campaign began in approximately April 2024. Ticketmaster disclosed in May 2024 that 560 million customer records had been stolen from its Snowflake environment. AT&T disclosed in July 2024 that call records for nearly all customers had been stolen from Snowflake. Santander and Advance Auto Parts disclosed separately. Snowflake issued advisories recommending MFA enforcement. Two individuals were arrested in connection with the campaign in November 2024.
Attack Vector Detail
The attack leveraged a simple but effective technique: information-stealing malware that infected employee computers collected Snowflake credentials stored in browsers or credential managers. The attackers used these stolen credentials to log into Snowflake instances directly. The Snowflake platform itself was not breached. The individual customer environments were accessed because those customers were not enforcing multi-factor authentication on their Snowflake accounts.
Snowflake issued a security advisory confirming the campaign in June 2024, noting that all confirmed victim organizations lacked MFA enforcement on their Snowflake accounts. The attackers identified the Snowflake platform as a high-value target specifically because it aggregates large volumes of data and many enterprise customers had not enforced MFA.
Breach Pattern Timeline
April-May 2024
Threat actor UNC5537 (Mandiant attribution; later identified as primarily Connor Riley Moucka and John Erin Binns) begins systematic credential-stuffing campaign against Snowflake customer accounts using credentials harvested from infostealer malware logs on dark web markets.
April-June 2024
UNC5537 successfully accesses ~165 Snowflake customer environments. Critical detail: Snowflake itself is NOT breached. The customer accounts compromised had not enabled multi-factor authentication, and the credentials had been previously stolen from employees' personal devices via infostealer malware (Lumma, RisePro, Vidar).
May-June 2024
Confirmed affected Snowflake customers: Ticketmaster (560M records), Santander Bank, AT&T (110M+ records), Advance Auto Parts (3M), Neiman Marcus, LendingTree/QuoteWizard, Pure Storage, and many more. Pattern: large enterprises that hadn't enforced MFA on Snowflake.
May 31, 2024
Snowflake publicly addresses the situation. Confirms no Snowflake infrastructure breach. Identifies the issue as 'targeted threat campaign against some Snowflake customer accounts' that lacked MFA.
June 2024
Snowflake announces mandatory MFA enforcement for new accounts and stronger MFA recommendations for existing customers.
July-August 2024
Mandiant publishes detailed UNC5537 attribution. Mandiant tracks the campaign's broader financial impact: estimated $2-3B+ in collective costs across affected organizations.
November 2024
FBI arrests Connor Riley Moucka in Canada. John Erin Binns identified and prosecuted. U.S. federal charges in Western District of Washington.
2025-2026
Snowflake mandates MFA enforcement on all accounts effective late 2024. Industry-wide reassessment of SaaS authentication defaults. Snowflake-customer breach campaign becomes foundational case for: (1) infostealer logs as the primary 2024 enterprise breach vector, (2) MFA-by-default as a SaaS provider responsibility, (3) shared responsibility model gaps.
Total impact: ~165 Snowflake customer environments breached affecting 700M+ records collectively (Ticketmaster, AT&T, Santander, Neiman Marcus, others), $2-3B+ collective costs, foundational precedent for infostealer-driven breach campaigns and SaaS MFA-by-default.
Executive Lessons
The Snowflake campaign established that cloud data platforms housing sensitive data from hundreds of enterprise customers represent extremely high-value targets for credential theft. The common thread across all affected Snowflake tenants was the absence of MFA on the compromised accounts — credentials alone were sufficient to access massive datasets. Organizations using Snowflake or similar cloud data platforms must enforce MFA as a non-negotiable baseline and monitor for anomalous data access patterns.
Related Reading
Private Equity Implications
For PE portfolio companies using Snowflake or any cloud data warehouse without mandatory MFA, the Snowflake campaign established the specific and immediate action required: enforce MFA on all cloud data platform accounts. Any environment not yet compliant is exposed to the same attack pattern that affected AT&T and Ticketmaster.
How Cloudskope Can Help
Frequently Asked Questions
What was the Snowflake customer breach campaign?
Between April and June 2024, threat actor UNC5537 (also tracked as Sp1d3rHunters) compromised approximately 165 Snowflake customer accounts using stolen credentials harvested from infostealer malware. The campaign exposed massive volumes of customer data including Ticketmaster (560M records), AT&T (109M call records), Santander Bank, Advance Auto Parts, and Neiman Marcus.
How did attackers access Snowflake accounts?
The campaign exploited a structural weakness in Snowflake's authentication model. Affected customer accounts had been configured with username/password authentication only, without multi-factor authentication. Attackers used credentials harvested from infostealer-infected computers (often customer employees' personal devices) to access Snowflake tenants where MFA was not enforced.
Was Snowflake itself breached?
No. Snowflake's infrastructure was not compromised. The breaches occurred within individual customer Snowflake instances where customers had not enabled MFA. The pattern revealed that cloud platform security depends as heavily on customer configuration as on provider infrastructure security — a shared responsibility model failure.
How much did the Snowflake breaches cost?
Direct costs across affected organizations exceeded $1 billion. Ticketmaster's parent company Live Nation faced congressional scrutiny and class actions. AT&T disclosed approximately $1 billion in projected total impact from its component of the campaign. Several smaller affected organizations faced existential litigation exposure.
What did Snowflake establish about cloud platform security?
Snowflake demonstrated that the shared responsibility model places critical security configuration burdens on customers — and that cloud platforms with optional security features create predictable failure modes when those features are not adopted. Snowflake responded by allowing customers to enforce MFA at the tenant level and ultimately by making MFA mandatory for new accounts. For executives, the implication is that cloud platform security capability is meaningless without customer enforcement of that capability.