Snowflake data breach
{{Short description|Large-scale cybersecurity incident in 2024}}
The Snowflake data breach refers to a large-scale cybersecurity incident in 2024 involving unauthorized access to customer cloud environments hosted on Snowflake Inc., a cloud-based data warehousing platform.Matt Egan and Sean Lyngaas,{{cite web|url=https://edition.cnn.com/2024/07/12/business/att-customers-massive-breach|title=Nearly all AT&T cell customers’ call and text records exposed in a massive breach|publisher=edition.cnn.com|date=12 June 2024|accessdate=22 May 2025}}
{{cite web|url=https://www.bbc.com/news/articles/cw99ql0239wo|title=Ticketmaster confirms hack which could affect 560m|publisher=bbc.com|date=2 June 2024|accessdate=22 May 2025}} The breach affected numerous high-profile clients and has been regarded as one of the most significant data security incidents of the decade.Jordan Smith,{{cite web|url=https://www.channelinsider.com/security/channel-top-cybersecurity-stories-2024/|title=The Cybersecurity Stories that Defined 2024 in the Channel|publisher=channelinsider.com|date=17 December 2024|accessdate=22 May 2025}}
Background
Snowflake Inc. provides a cloud data platform widely adopted by large enterprises for storing and analyzing data. In 2024, it became the focal point of a major cyberattack campaign that compromised sensitive data from more than 100 of its customers.Kim Zetter,{{cite web|url=https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/|title=The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever|publisher=wired.com|date=17 June 2024|accessdate=22 May 2025}}
2024 breach
In mid-2024, at least 160 organizations were reportedly targeted through vulnerabilities in how their Snowflake environments were configured and accessed. Affected companies included AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health.Sergiu Gatlan,{{cite web|url=https://www.bleepingcomputer.com/news/security/advance-auto-parts-stolen-data-for-sale-after-snowflake-attack/|title=Advance Auto Parts stolen data for sale after Snowflake attack|publisher=bleepingcomputer.com|date=5 June 2024|accessdate=22 May 2025}}
The breach resulted in the theft of a wide range of sensitive data, such as:
- Personally Identifiable Information (PII)
- Medical prescriber DEA numbers
- Digital event tickets
- Over 50 billion call records from AT&T
The stolen data was allegedly used for extortion, with hackers demanding ransoms from affected organizations in exchange for not leaking or selling the information.Mathew J. Schwartz,{{cite web|url=https://www.bankinfosecurity.com/snowflake-data-breach-customers-hit-by-ransom-demands-a-25576|title=Victims of Snowflake Data Breach Receive Ransom Demands|publisher=bankinfosecurity.com|date=20 June 2024|accessdate=22 May 2025}}
= Nature of the attack =
Security investigations revealed that the attackers—members of a known hacking group referred to as UNC5537 or Scattered Spider accessed customer environments by exploiting stolen credentials obtained via infostealer malware.Jessica Lyons,{{cite web|url=https://www.theregister.com/2024/06/11/crims_targeting_snowflake_customers/|title=Snowflake customers not using MFA are not unique – over 165 of them have been compromised|publisher=theregister.com|date=11 June 2024|accessdate=22 May 2025}} These credentials, which lacked multi-factor authentication (MFA) protection in many cases, allowed the attackers to log in to Snowflake customer instances directly using just a username and password.Ravie Lakshmanan,{{cite web|url=https://thehackernews.com/2024/06/snowflake-breach-exposes-165-customers.html|title=Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign|publisher=thehackernews.com|date=11 June 2024|accessdate=22 May 2025}}
A report by cybersecurity firm, Mandiant (a subsidiary of Google Cloud) outlined the method of extortion and scale of the incident, noting that over 160 customer environments may have been accessed.{{cite web|url=https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion|title=UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion|publisher=cloud.google.com|date=10 June 2024|accessdate=22 May 2025}}{{cite web|url=https://cloudsecurityalliance.org/blog/2025/05/07/unpacking-the-2024-snowflake-data-breach|title=Unpacking the 2024 Snowflake Data Breach
|publisher=cloudsecurityalliance.org|date=7 May 2025|accessdate=22 May 2025}}
Impact and government response
The breach had particularly serious implications for AT&T, whose call and text message metadata involving nearly all U.S. customers was compromised. The breach prompted an unprecedented request from the U.S. Department of Justice, which asked AT&T to delay public disclosure due to national security and public safety concerns. Reports later confirmed that AT&T paid a ransom of $370,000 in an attempt to have the stolen data deleted.Kim Zetter,{{cite web|url=https://www.wired.com/story/atandt-paid-hacker-300000-to-delete-stolen-call-records/|title=AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records|publisher=wired.com|date=14 July 2024|accessdate=22 May 2025}}Wes Davis,{{cite web|url=https://www.theverge.com/2024/7/14/24198294/att-paid-370000-ransom-hacked-customer-data-deleted-may|title=AT&T reportedly gave $370,000 to a hacker to delete its stolen customer data|publisher=theverge.com|date=|accessdate=22 May 2025}}
Arrests and attribution
In late 2024, law enforcement agencies in the United States and Canada identified and apprehended two core individuals allegedly responsible for the attack:
- Connor Riley Moucka, 25 (aliases: Waifu, Judische, Ellyel8), was arrested in Kitchener, Ontario, Canada on October 30, 2024.Jonathan Greig,{{cite web|url=https://therecord.media/alleged-snowflake-hacker-extradition-us|title=Alleged Snowflake hacker consents to extradition from Canada after US charges|publisher=therecord.media|date=25 March 2025|accessdate=22 May 2025}} He faces multiple charges in Washington state, including conspiracy, computer fraud, extortion, and identity theft.{{cite web|url=https://www.bloomberg.com/news/articles/2024-11-11/charges-unsealed-against-alleged-hackers-of-snowflake-customers|title=Charges Unsealed Against Alleged Hackers of Snowflake Customers|publisher=bloomberg.com|date=24 November 2024|accessdate=22 May 2025}}
- John Erin Binns, 24 (aliases: IRDev, IntelSecrets), was arrested in Turkey in May 2024.{{cite web|url=https://wancore.fr/news/canadian-man-arrested-in-snowflake-data-extortions-krebs-on-security/|title=Canadian Man Arrested in Snowflake Data Extortions – Krebs on Security|publisher=wancore.fr|date=|accessdate=22 May 2025}} He is currently detained pending possible extradition to the United States, where he also faces charges linked to the 2021 T-Mobile breach.{{cite web|url=https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data-extortions/|title=Canadian Man Arrested in Snowflake Data Extortions
|publisher=krebsonsecurity.com|date=5 November 2024|accessdate=22 May 2025}}
Court documents also reference a third unnamed individual, known only by the alias Reddington, who allegedly acted as an intermediary between the hackers and victim organizations.