Skip to content
CBCyber Breaches
Search

Campaign

Snowflake cohort credential-stuffing campaign (2024)

2024–2024 · concluded

Coordinated 2024 criminal campaign against ~165 Snowflake-customer tenants. Operators used infostealer-harvested credentials to authenticate against tenants without MFA, exfiltrating data from AT&T, Ticketmaster, Santander, Advance Auto Parts, and many others.

The Snowflake cohort credential-stuffing campaign of 2024 was a coordinated criminal operation against approximately 165 organisations using Snowflake's cloud data warehouse. The campaign exploited a single structural weakness shared across the cohort: infostealer-harvested credentials authenticating to Snowflake tenants that did not require multi-factor authentication.

It was the most consequential cloud-customer-side breach campaign on public record, and the most significant demonstration that cloud provider security does not protect customers whose authentication policies are deficient.

The structural attack

Each victim in the Snowflake cohort followed the same pattern:

  1. Months or years earlier, a contractor or employee with Snowflake credentials had been infected with infostealer malware (RedLine, Raccoon, Vidar, or similar — these are commodity tools distributed via malvertising and game-modifying tools).
  2. The infostealer harvested credentials from the workstation, including the Snowflake credentials saved in browsers or password managers.
  3. The credentials were sold on criminal forums as part of large credential dumps.
  4. In April 2024, attackers systematically tested the credentials against Snowflake tenants.
  5. Where a tenant did not require MFA, the credentials worked — granting access to whatever data Snowflake stored for that tenant.

The structural finding: ~165 of Snowflake's customers had infostealer-harvested credentials in criminal markets that worked against their Snowflake tenant. Snowflake's platform was secure; the platform-customer-shared-responsibility boundary had failed at the customer side, at scale.

Confirmed victims

The campaign affected at least 165 distinct Snowflake customer tenants. The publicly-confirmed victims include some of the largest data exposures in the campaign:

Telecom

  • AT&T — ~110M customers; call and text metadata for ~6 months

Media / entertainment

  • Ticketmaster (Live Nation) — ~560M customer records; names, addresses, partial card data
  • AT&T (continued) — separately, also a Snowflake victim

Finance

  • Santander Bank — staff and customer records across multiple regions
  • LendingTree — customer leads and partial financial data

Retail

  • Advance Auto Parts — ~2.3M employee records
  • Neiman Marcus — customer records

Technology / SaaS

  • Pure Storage
  • Pylon Tech

And approximately 155 additional organisations whose names were not publicly confirmed at the time of the campaign's primary news cycle, but which were affected per the criminal listings.

Snowflake's response

Snowflake's response was operationally substantial:

  • Mandatory MFA by default for all new accounts (June 2024).
  • Tooling for existing customers to enforce MFA across all their users.
  • Notification of affected customers via direct outreach.
  • Cooperation with U.S. law enforcement during the criminal-attribution phase.

The framing was carefully chosen: Snowflake declined to characterise the campaign as a "Snowflake breach," repeatedly pointing to the customer-side credential-and-MFA failure. The framing held up under scrutiny — the campaign did not exploit any vulnerability in Snowflake's platform — but the reputational impact on Snowflake was material despite the technical correctness.

Attribution and arrests

In October 2024, U.S. and Canadian authorities arrested Connor Moucka in Kitchener, Ontario, on a U.S. extradition warrant. In November 2024, the DOJ unsealed an indictment against Moucka and co-conspirator John Binns — already in Turkey, previously implicated in the 2021 T-Mobile breach.

The Mandiant attribution cluster UNC5537 is the standard reference. The ShinyHunters brand was a partial overlap — some Snowflake-cohort data was monetised through ShinyHunters' established carding and data-resale infrastructure.

Component incidents

Other Snowflake-cohort breaches (Ticketmaster, Santander, etc.) are not separately catalogued at incident scale.

Why it matters

The Snowflake cohort campaign established:

  • That shared-responsibility cloud security models can fail at the customer-controls layer in ways the cloud provider cannot prevent. The provider's security being acceptable is necessary but not sufficient.
  • That infostealer-harvested credentials are a primary vector for cloud-tenant compromise. The credential economy fuels routine criminal operations; ~165 organisations exposed via credentials harvested through ordinary commodity malware.
  • That MFA-by-default at the cloud-provider level is now an industry baseline expectation. Snowflake's post-campaign migration to mandatory MFA defaults has been emulated by other cloud data-warehouse providers.
  • That the cloud-customer-tenant attack surface requires the same operational discipline as on-premise infrastructure: credential hygiene, MFA enforcement, conditional access policies, anomalous-query detection. Many cohort victims had treated their Snowflake tenant as inherently secure because of the cloud-platform framing.

The 2024 campaign appears to have run its operational course by late 2024 — Snowflake's MFA-default rollout and the arrests of Moucka and Binns combined to disrupt the operation's economics. Subsequent activity by the same actors has shifted to other cloud platforms with similar shared-responsibility configurations.

Component incidents (1)

Credential stuffingRansom paid

AT&T Snowflake call-records breach

AT&T disclosed that attackers used credentials stolen by infostealers to authenticate into its Snowflake cloud-data-warehouse tenant — which lacked MFA — and exfiltrated call and text metadata covering nearly all 110 million AT&T wireless customers.

Victim
AT&T Communications
Loss
$200.0M
Records
110.0M