Snowflake 2024: ~165 customer instances, one missing control.

The single most important fact about the Snowflake 2024 incident is that Snowflake's own infrastructure, platform, and managed service were not breached. There was no vulnerability in Snowflake's software and no compromise of Snowflake's internal systems. Instead, attackers compromised individual Snowflake customers' accounts, the data warehouses those customers operated on the Snowflake platform, by logging in with valid stolen credentials. Calling it "the Snowflake breach" is a useful shorthand for the cluster of victims, but it misstates where the failure occurred.

Mandiant, which investigated alongside Snowflake and CrowdStrike, tracked the threat actor as UNC5537 (with reported ties to the loose ShinyHunters and Scattered Spider ecosystems). The attacker acquired usernames and passwords stolen by infostealer malware, much of it harvested from devices years earlier and traded on criminal marketplaces, then authenticated directly to Snowflake customer tenants. The decisive factor was that the targeted accounts had not enabled multi-factor authentication, so a username and password alone granted full access. Snowflake disclosed the campaign publicly in late May 2024 and Mandiant estimated roughly 165 customer organisations were affected.

The incident reshaped Snowflake's product defaults. In the aftermath Snowflake moved to allow administrators to enforce MFA across their accounts and signalled a shift toward MFA by default, an explicit acknowledgement that leaving the strongest authentication control optional had produced systemic customer harm even where the platform itself was sound.

Record counts in this cluster are mostly attacker claims and advertised figures rather than confirmed forensic totals. The Ticketmaster "560 million" figure was the size the ShinyHunters listing advertised; the actual number of distinct affected individuals may differ. The AT&T ~110 million is the customer count whose call and text metadata records were taken (the data was metadata, not call content). Treat each figure as "reported" or "advertised" unless tied to a specific company disclosure such as an SEC 8-K.

AT&T disclosed its piece of the cluster on 12 July 2024 in an SEC 8-K. The exposed data was call and text metadata, records of which numbers contacted which numbers, call durations, and for some records cell-tower identifiers that can approximate location, for nearly all of AT&T's mobile customers, reported as approximately 110 million. The content of calls and texts was not taken, but metadata at this scale is highly sensitive: it can reveal patterns of life, relationships, and movement.

AT&T reportedly paid approximately $370,000 in Bitcoin to a member of the threat-actor group in exchange for deleting the stolen records, with a video purporting to show the deletion. As with the Change Healthcare ransom the same year, paying did not provide certainty: there is no way to prove copies were not retained, and the payment surfaced the recurring debate about whether ransom payments to delete exfiltrated data ever deliver the promised outcome. The AT&T disclosure also drew scrutiny because the company had received a US Department of Justice authorisation to delay public notification on national-security and public-safety grounds.

Note that AT&T suffered a separate, unrelated data exposure earlier in 2024 involving roughly 73 million records surfacing on the dark web; the Snowflake-linked incident described here is the call-and-text-metadata breach disclosed in July 2024, not that earlier event.

Alexander "Connor" Moucka (alias Judische), a Canadian national, was arrested in Ontario on 30 October 2024 on a US extradition request. In November 2024 the US Department of Justice unsealed an indictment against Moucka and John Erin Binns in connection with the campaign. Binns had separately been linked to the 2021 T-Mobile breach. A third individual using the alias "Kiberphant0m" was also pursued by investigators. The arrests demonstrated that even attacks executed entirely through stolen credentials and infostealer logs can be attributed and prosecuted.

On the civil side, the individual customer breaches spawned class-action litigation. Ticketmaster/Live Nation faced proposed class actions alleging inadequate security and delayed notification, and the various Snowflake-customer cases were consolidated into multidistrict litigation. Because liability sits with each affected customer rather than with Snowflake, the financial exposure is distributed across many companies rather than concentrated in one defendant, one reason there is no single headline cost figure for "the Snowflake breach" the way there is for Equifax or Change Healthcare.

The Snowflake cluster is the textbook illustration of the cloud shared-responsibility model. The platform provider secures the platform; the customer secures their use of it, including identity and access management. Snowflake offered MFA but did not, at the time, enforce it by default, and the affected customers had not turned it on. Every one of the ~165 breaches would likely have been prevented by mandatory MFA on the Snowflake tenant. The episode pushed the entire SaaS and data-platform industry toward MFA-by-default and toward providers taking a more active role rather than leaving the strongest control optional.

The second lesson concerns infostealer malware. Many of the credentials used in the campaign had been stolen from personal and corporate devices, sometimes years earlier, and sat in logs traded on criminal marketplaces until weaponised. Organisations that assume a stale password is a low risk miss that infostealer logs give attackers a continuously refreshed inventory of valid corporate credentials. The defensive implications are mandatory MFA everywhere, monitoring for corporate credentials appearing in infostealer dumps, and the recognition that any single-factor cloud login is one infostealer infection away from compromise.