Snowflake data breach

The Snowflake data breach refers to a large-scale cybersecurity incident in 2024 involving unauthorized access to customer cloud environments hosted on Snowflake Inc., a cloud-based data and AI platform.^{1 2} The breach affected numerous high-profile clients and has been regarded as one of the most significant data security incidents of the decade.³

Snowflake Inc. provides a cloud data and AI platform widely adopted by large enterprises for storing and analyzing data. In 2024, it became the focal point of a major cyberattack campaign that compromised sensitive data from more than 100 of its customers.⁴

In mid-2024, at least 160 organizations were reportedly targeted through vulnerabilities in how their Snowflake environments were configured and accessed. Affected companies included AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health.⁴⁵

The breach resulted in the theft of a wide range of sensitive data, such as:

• Personally Identifiable Information (PII)⁴
• Medical prescriber DEA numbers⁴
• Digital event tickets⁴
• Over 50 billion call records from AT&T⁴

The stolen data was allegedly used for extortion by the ShinyHunters extortion group, with hackers demanding ransoms from affected organizations in exchange for not leaking or selling the information.⁶

Security investigations revealed that the attackers—members of a known hacking group referred to as UNC5537, Scattered Spider or ShinyHunters—accessed customer environments by exploiting stolen credentials obtained via infostealer malware.⁷ These credentials, which lacked multi-factor authentication (MFA) protection in many cases, allowed the attackers to log in to Snowflake customer instances directly using just a username and password.⁸

A report by cybersecurity firm, Mandiant (a subsidiary of Google Cloud) outlined the method of extortion and scale of the incident, noting that over 160 customer environments may have been accessed.⁹¹⁰

The breach had particularly serious implications for AT&T, whose call and text message metadata involving nearly all U.S. customers was compromised.¹⁴ The breach prompted an unprecedented request from the U.S. Department of Justice, which asked AT&T to delay public disclosure due to national security and public safety concerns.¹⁴ Reports later confirmed that AT&T paid a ransom of $370,000 in an attempt to have the stolen data deleted.¹¹¹²

In late 2024, law enforcement agencies in the United States and Canada identified and apprehended two core individuals allegedly responsible for the attack:

• Connor Riley Moucka, 25 (aliases: Waifu, Judische, Ellyel8), was arrested in Kitchener, Ontario, Canada on October 30, 2024.¹³ He faces multiple charges in Washington state, including conspiracy, computer fraud, extortion, and identity theft.¹³¹⁴
• John Erin Binns, 24 (aliases: IRDev, IntelSecrets), was arrested in Turkey in May 2024.¹⁵ He is currently detained pending possible extradition to the United States, where he also faces charges linked to the 2021 T-Mobile breach.¹⁶

Court documents also reference a third unnamed individual, known only by the alias Reddington, who allegedly acted as an intermediary between the hackers and victim organizations.¹¹

The breach drew attention to widespread security misconfigurations and insufficient enforcement of multi-factor authentication across cloud platforms. It also raised concerns over third-party risk and the need for tighter access controls and credential hygiene within cloud ecosystems.¹