.png)
Snowflake Customer Breach Campaign 2024
Breach Summary
The Snowflake customer breach campaign of 2024 was the most consequential cloud data warehouse attack in history. A threat actor group used credentials stolen by information-stealing malware to access dozens of major companies' Snowflake environments — including AT&T, Ticketmaster, Advance Auto Parts, and Santander Bank — resulting in the theft of data affecting hundreds of millions of individuals across multiple high-profile incidents.
What Happened
The campaign began in approximately April 2024. Ticketmaster disclosed in May 2024 that 560 million customer records had been stolen from its Snowflake environment. AT&T disclosed in July 2024 that call records for nearly all customers had been stolen from Snowflake. Santander and Advance Auto Parts disclosed separately. Snowflake issued advisories recommending MFA enforcement. Two individuals were arrested in connection with the campaign in November 2024.
Attack Vector Detail
The attack leveraged a simple but effective technique: information-stealing malware that infected employee computers collected Snowflake credentials stored in browsers or credential managers. The attackers used these stolen credentials to log into Snowflake instances directly. The Snowflake platform itself was not breached. The individual customer environments were accessed because those customers were not enforcing multi-factor authentication on their Snowflake accounts.
Snowflake issued a security advisory confirming the campaign in June 2024, noting that all confirmed victim organizations lacked MFA enforcement on their Snowflake accounts. The attackers identified the Snowflake platform as a high-value target specifically because it aggregates large volumes of data and many enterprise customers had not enforced MFA.
Breach Pattern Timeline
April-May 2024
Threat actor UNC5537 (Mandiant attribution; later identified as primarily Connor Riley Moucka and John Erin Binns) begins systematic credential-stuffing campaign against Snowflake customer accounts using credentials harvested from infostealer malware logs on dark web markets.
April-June 2024
UNC5537 successfully accesses ~165 Snowflake customer environments. Critical detail: Snowflake itself is NOT breached. The customer accounts compromised had not enabled multi-factor authentication, and the credentials had been previously stolen from employees' personal devices via infostealer malware (Lumma, RisePro, Vidar).
May-June 2024
Confirmed affected Snowflake customers: Ticketmaster (560M records), Santander Bank, AT&T (110M+ records), Advance Auto Parts (3M), Neiman Marcus, LendingTree/QuoteWizard, Pure Storage, and many more. Pattern: large enterprises that hadn't enforced MFA on Snowflake.
May 31, 2024
Snowflake publicly addresses the situation. Confirms no Snowflake infrastructure breach. Identifies the issue as 'targeted threat campaign against some Snowflake customer accounts' that lacked MFA.
June 2024
Snowflake announces mandatory MFA enforcement for new accounts and stronger MFA recommendations for existing customers.
July-August 2024
Mandiant publishes detailed UNC5537 attribution. Mandiant tracks the campaign's broader financial impact: estimated $2-3B+ in collective costs across affected organizations.
November 2024
FBI arrests Connor Riley Moucka in Canada. John Erin Binns identified and prosecuted. U.S. federal charges in Western District of Washington.
2025-2026
Snowflake mandates MFA enforcement on all accounts effective late 2024. Industry-wide reassessment of SaaS authentication defaults. Snowflake-customer breach campaign becomes foundational case for: (1) infostealer logs as the primary 2024 enterprise breach vector, (2) MFA-by-default as a SaaS provider responsibility, (3) shared responsibility model gaps.
Total impact: ~165 Snowflake customer environments breached affecting 700M+ records collectively (Ticketmaster, AT&T, Santander, Neiman Marcus, others), $2-3B+ collective costs, foundational precedent for infostealer-driven breach campaigns and SaaS MFA-by-default.
Executive Lessons
The Snowflake campaign established that cloud data platforms housing sensitive data from hundreds of enterprise customers represent extremely high-value targets for credential theft. The common thread across all affected Snowflake tenants was the absence of MFA on the compromised accounts — credentials alone were sufficient to access massive datasets. Organizations using Snowflake or similar cloud data platforms must enforce MFA as a non-negotiable baseline and monitor for anomalous data access patterns.
Related Reading
Private Equity Implications
For PE portfolio companies using Snowflake or any cloud data warehouse without mandatory MFA, the Snowflake campaign established the specific and immediate action required: enforce MFA on all cloud data platform accounts. Any environment not yet compliant is exposed to the same attack pattern that affected AT&T and Ticketmaster.