Skip to content
CBCyber Breaches
Search
Credential stuffingContained

Snowflake customer-account credential-stuffing campaign (UNC5537, 2024)

A threat cluster tracked as UNC5537 / ShinyHunters used credentials harvested by infostealer malware to log into ~160 Snowflake customer tenants that lacked MFA. Victims included AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Ticketmaster alone exposed data for ~560 million users.

Victim
Snowflake customer tenants (~160 organisations: AT&T, Ticketmaster, Santander, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, et al.)
records
560.0M
users
560.0M
SectorTechnologyFinanceRetailMedia
CountryUnited StatesSpainChileUruguay
Threat actorShinyHuntersUNC5537

Across mid-2024, a single threat cluster tracked variously as UNC5537 and ShinyHunters ran one of the most consequential SaaS-credential campaigns ever publicly documented: roughly 160 Snowflake customer tenants were logged into using stolen credentials, exposing data on hundreds of millions of consumers across Ticketmaster, Santander, AT&T, LendingTree, Advance Auto Parts, Neiman Marcus, Bausch Health, and others.

What happened

Snowflake is a cloud data-warehouse platform β€” most large enterprises store some of their most concentrated analytical data there. UNC5537 did not exploit a Snowflake product vulnerability. Instead, the group:

  1. Harvested credentials at scale from contractor and employee endpoints already infected with infostealer malware (Lumma, Redline, Vidar, Raccoon).
  2. Identified Snowflake-tenant logins in the harvested credential dumps.
  3. Logged in directly to tenants that did not enforce MFA on user accounts.

Once in, the attackers exfiltrated the customer's data tables and used the haul to extort the tenant β€” first privately, then publicly on extortion forums and ShinyHunters' leak channels.

Santander disclosed the breach on 30 May 2024: staff and 30 million customers across Spain, Chile, and Uruguay affected. Ticketmaster/Live Nation disclosed the next day: data on approximately 560 million users. AT&T's separately disclosed Snowflake exposure (call/text metadata for ~110M wireless customers across six months of 2022) is also part of this campaign.

Snowflake publicly stated that this was not a product compromise but a customer-credential issue β€” while also disclosing that a former Snowflake employee's account had been accessed by attackers, complicating the narrative. The company later moved to require MFA by default on customer tenants in response.

Impact

  • Approximately 160 Snowflake customer tenants breached.
  • ~560 million Ticketmaster user records exposed.
  • ~30 million Santander customer records exposed across three countries.
  • ~110 million AT&T wireless-customer metadata records exposed (separately disclosed).
  • ShinyHunters extorted multiple victims; some paid, some did not.

Why it matters

UNC5537 demonstrated, at industrial scale, that the credential layer is the new perimeter for SaaS data warehouses β€” and that a customer's failure to enforce MFA can compromise hundreds of millions of consumers downstream. Snowflake's subsequent decision to enforce MFA by default is now widely regarded as the post-incident standard for SaaS platforms holding concentrated customer data.

Timeline

  1. UNC5537 begins systematically logging into Snowflake customer tenants using credentials harvested by infostealer malware on contractor and employee endpoints. Tenants without enforced MFA are easy targets.

  2. Santander confirms a breach of staff and 30 million customers across Spain, Chile, and Uruguay; ShinyHunters takes credit.

  3. Ticketmaster/Live Nation confirms a breach affecting ~560 million users via Snowflake.

  4. Snowflake states the activity is the result of stolen end-user credentials, not a Snowflake product compromise, but also discloses unauthorised access to a former Snowflake employee's account.

  5. TechCrunch reports it has seen over 500 stolen Snowflake-customer credentials, including web addresses of the corresponding login pages.

  6. Mandiant attributes the campaign to UNC5537; affected tenant count grows to approximately 160 organisations.

  7. AT&T discloses Snowflake-related exposure of call and text records spanning roughly six months of 2022 for nearly all wireless customers (~110M).

Sources

  1. en.wikipedia.orghttps://en.wikipedia.org/wiki/Snowflake_data_breach
  2. therecord.mediahttps://therecord.media/live-nation-confirms-ticketmaster-breach-snowflake
  3. cm-alliance.comhttps://www.cm-alliance.com/cybersecurity-blog/snowflake-ticketmaster-santander-breaches-a-live-timeline
  4. en.wikipedia.orghttps://en.wikipedia.org/wiki/ShinyHunters
  5. informationweek.comhttps://www.informationweek.com/cyber-resilience/-it-wasn-t-me-snowflake-denies-attack-responsibility-admits-hack-of-former-worker

Related incidents

Data breachRansom paid

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools β€” names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim
Instructure (Canvas LMS)
Loss
$10.0M
Records
275.0M