AT&T Snowflake call-records breach

On 12 July 2024, AT&T publicly disclosed that attackers had exfiltrated call detail records covering nearly all of its 110 million wireless customers from its Snowflake cloud-data-warehouse tenant. The exfiltration was part of a larger campaign — designated UNC5537 by Mandiant — that compromised approximately 165 Snowflake customer tenants using credentials harvested by infostealer malware months earlier.

The campaign is the canonical case for cloud-tenant credential-stuffing at scale, and a major driver of the post-2024 industry shift toward mandatory MFA on cloud data warehouses.

The Snowflake cohort

The broader campaign — running approximately April through July 2024 — targeted Snowflake tenants whose customers had:

• Snowflake credentials harvested by infostealer malware months or years earlier, sold on credential markets.
• No multi-factor authentication required on the Snowflake tenant.
• Significant volumes of structured data worth exfiltrating.

Confirmed Snowflake-cohort victims include:

• AT&T (this incident; call and text metadata)
• Ticketmaster (Live Nation) — ~560M customer records
• Santander Bank — staff and customer records across multiple regions
• Advance Auto Parts — ~2.3M employee records
• Pure Storage, Neiman Marcus, LendingTree, and approximately 160 additional organisations

The Snowflake platform itself was not compromised. The vulnerability was in per-customer authentication policy: each Snowflake customer was responsible for enabling MFA, and many had not. Snowflake's response to the campaign — partly under regulatory pressure — was to begin requiring MFA by default for new accounts and to provide tooling for existing customers to enforce it.

AT&T-specific scope

AT&T's exfiltrated data covered:

• Call and text metadata (which numbers called/texted which numbers, when, and for how long) for all AT&T wireless customers between 1 May 2022 and 31 October 2022, plus a single additional day on 2 January 2023.
• Approximately 110 million customers affected — virtually every AT&T mobile subscriber during the affected period.
• No content of calls or messages was exposed.
• Cell-site location data for many records included approximate location at the time of each call.

The combination of metadata, location, and connection graph is significant for social-network analysis: while no single record's content was exposed, the aggregate dataset enables comprehensive mapping of who-talks-to-whom across the U.S. AT&T customer base over the six-month period.

The payment

In an unusual disclosure, AT&T publicly confirmed that it had paid the attackers approximately $370,000 in cryptocurrency for assurance that the stolen data would be deleted. The payment was made via an intermediary; AT&T's framing was that the payment was for deletion assurance, not "ransom."

The payment did not fully prevent subsequent release: partial samples of the dataset circulated on criminal forums in the weeks after AT&T's disclosure, demonstrating again that payment provides no enforceable guarantee of data destruction.

Attribution and indictments

In October 2024, U.S. and Canadian authorities arrested Connor Moucka — a 26-year-old Canadian national in Kitchener, Ontario — on a U.S. extradition warrant for the Snowflake-cohort extortion campaign. In November 2024, the DOJ unsealed an indictment against Moucka and a co-conspirator: John Binns, the 24-year-old American who had previously claimed responsibility for the 2021 T-Mobile breach and was already in Turkey.

The indictment charged Moucka and Binns with extortion, computer fraud, and wire fraud against 10 named victim organisations (with AT&T identified anonymously as one of the larger victims).

Moucka remained in Canadian custody pending extradition as of late 2024. Binns remained in Turkey beyond reach.

Impact

• ~110 million customers' call and text metadata exposed.
• Direct cost to AT&T: ~$200M including remediation, customer notification, and the $370K extortion payment.
• FCC continues investigation; AT&T already under the 2024 consent decree from the 2021 T-Mobile-era breaches and its own subsequent incidents.
• Snowflake industry impact: Snowflake announced mandatory MFA defaults for new accounts; major regulated-industry customers accelerated MFA migration on existing tenants.

Why it matters

AT&T / Snowflake is the canonical case for cloud-tenant credential-stuffing in 2024 and the most consequential demonstration that the cloud provider's security alone is insufficient when customer-side controls are missing. It established:

• That infostealer-harvested credentials are a primary vector for cloud-tenant compromise. The credentials AT&T's attackers used had been harvested by routine infostealer malware months earlier and sold through ordinary criminal markets — no targeted state operation was needed.
• That shared-responsibility cloud security models can fail at the customer-controls layer in ways the provider cannot prevent. Snowflake's platform was secure; ~165 of its customers' MFA configurations were not.
• That call metadata is a strategic-intelligence-grade dataset at telecom scale. The AT&T exposure is functionally a six-month social-network snapshot of a substantial fraction of U.S. mobile users.
• That post-payment release is a continuing pattern. AT&T's payment did not prevent samples from circulating; the disclosure once again pointed to the lack of enforceable deletion in extortion-payment scenarios.