The Snowflake data breach refers to a large-scale

cybersecurity Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and networks from thr ...

incident in 2024 involving unauthorized access to customer cloud environments hosted on

Snowflake Inc. Snowflake Inc. is an American cloud-based data storage company. Headquartered in Bozeman, Montana, it operates a platform that allows for data analysis and simultaneous access of data sets with minimal latency. It operates on Amazon Web Ser ...

, a cloud-based data warehousing platform.Matt Egan and Sean Lyngaas, The breach affected numerous high-profile clients and has been regarded as one of the most significant data security incidents of the decade.Jordan Smith,

Background

Snowflake Inc. provides a cloud data platform widely adopted by large enterprises for storing and analyzing data. In 2024, it became the focal point of a major

cyberattack A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content. The rising dependence on increasingly complex and inte ...

campaign that compromised sensitive data from more than 100 of its customers.Kim Zetter,

2024 breach

In mid-2024, at least 160 organizations were reportedly targeted through vulnerabilities in how their Snowflake environments were configured and accessed. Affected companies included

AT&T AT&T Inc., an abbreviation for its predecessor's former name, the American Telephone and Telegraph Company, is an American multinational telecommunications holding company headquartered at Whitacre Tower in Downtown Dallas, Texas. It is the w ...

Ticketmaster Ticketmaster Entertainment, LLC is an American ticket sales and distribution company based in Beverly Hills, California, with operations in many countries around the world. In 2010, it merged with Live Nation under the name Live Nation Ente ...

Live Nation Live Nation Entertainment, Inc. is an American multinational Entertainment industry, entertainment company that was founded in 2010 following the Mergers and acquisitions, merger of Live Nation (events promoter), Live Nation and Ticketmaster. It ...

Santander Bank Santander Bank, N. A. () is an American bank operating as a wholly-owned subsidiary of the Spanish Santander Group. It is based in Boston and its principal market is the northeastern United States. It has $57.5 billion in deposits, operates abou ...

LendingTree LendingTree, Inc. is an online lending marketplace, founded in 1996 and headquartered in Charlotte, North Carolina. The business platform allows potential borrowers to connect with multiple lender, loan operators to find optimal terms for loans, ...

Advance Auto Parts Advance Auto Parts, Inc. is an American automotive aftermarket parts provider. Headquartered in Raleigh, North Carolina, it serves professional installer and do it yourself (DIY) customers. Company History In April 1932, Arthur Taubman purch ...

Neiman Marcus Neiman Marcus is an American department store chain founded in 1907 in Dallas, Texas by Herbert Marcus, his sister Carrie Marcus Neiman, and her husband Abraham Lincoln Neiman. It has been owned by Saks Global, a Corporate spin-off, spin-o ...

, and

Bausch Health Bausch Health Companies Inc. is a global, diversified American-Canadian pharmaceutical company. Its global corporate headquarters are located in Laval, Quebec, Canada, and its U.S. headquarters are in Bridgewater, New Jersey. It develops, manufa ...

. The breach resulted in the theft of a wide range of sensitive data, such as: * Personally Identifiable Information (PII) * Medical prescriber DEA numbers * Digital event tickets * Over 50 billion call records from AT&T The stolen data was allegedly used for extortion, with hackers demanding ransoms from affected organizations in exchange for not leaking or selling the information.

Nature of the attack

Security investigations revealed that the attackers—members of a known hacking group referred to as ''UNC5537'' or

Scattered Spider Scattered Spider, also referred to as UNC3944, is a hacking group mostly made up of teens and young adults believed to live in the United States and the United Kingdom. The group gained notoriety for their involvement in the hacking and extortion ...

accessed customer environments by exploiting stolen credentials obtained via

infostealer In computing, infostealers are a form of malicious software created to breach computer systems to steal sensitive information, such as login details, financial information, and other personally identifiable information. The stolen information is ...

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

. These credentials, which lacked

multi-factor authentication Multi-factor authentication (MFA; two-factor authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence ...

(MFA) protection in many cases, allowed the attackers to log in to Snowflake customer instances directly using just a username and password. A report by cybersecurity firm,

Mandiant Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireE ...

(a subsidiary of Google Cloud) outlined the method of extortion and scale of the incident, noting that over 160 customer environments may have been accessed.

Impact and government response

The breach had particularly serious implications for

, whose call and text message metadata involving nearly all U.S. customers was compromised. The breach prompted an unprecedented request from the

U.S. Department of Justice The United States Department of Justice (DOJ), also known as the Justice Department, is a federal executive department of the U.S. government that oversees the domestic enforcement of federal laws and the administration of justice. It is equi ...

, which asked AT&T to delay public disclosure due to national security and public safety concerns. Reports later confirmed that AT&T paid a ransom of $370,000 in an attempt to have the stolen data deleted.Kim Zetter,

Arrests and attribution

In late 2024, law enforcement agencies in the

United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...

and

Canada Canada is a country in North America. Its Provinces and territories of Canada, ten provinces and three territories extend from the Atlantic Ocean to the Pacific Ocean and northward into the Arctic Ocean, making it the world's List of coun ...

identified and apprehended two core individuals allegedly responsible for the attack: * Connor Riley Moucka, 25 (aliases: ''Waifu'', ''Judische'', ''Ellyel8''), was arrested in

Kitchener, Ontario Kitchener is a city in the Canadian province of Ontario, about west of Toronto. It is one of three cities that make up the Regional Municipality of Waterloo and is the regional Administrative centre, seat. Kitchener was known as Berlin until a ...

, Canada on October 30, 2024.Jonathan Greig, He faces multiple charges in

Washington state Washington, officially the State of Washington, is a state in the Pacific Northwest region of the United States. It is often referred to as Washington State to distinguish it from the national capital, both named after George Washington ...

, including

conspiracy A conspiracy, also known as a plot, ploy, or scheme, is a secret plan or agreement between people (called conspirers or conspirators) for an unlawful or harmful purpose, such as murder, treason, or corruption, especially with a political motivat ...

computer fraud Computer fraud is the use of computers, the Internet, Internet devices, and Internet services to defraud people or organizations of resources. In the United States, computer fraud is specifically proscribed by the Computer Fraud and Abuse Act (CFAA ...

extortion Extortion is the practice of obtaining benefit (e.g., money or goods) through coercion. In most jurisdictions it is likely to constitute a criminal offence. Robbery is the simplest and most common form of extortion, although making unfounded ...

, and

identity theft Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. ...

. * John Erin Binns, 24 (aliases: ''IRDev'', ''IntelSecrets''), was arrested in

Turkey Turkey, officially the Republic of Türkiye, is a country mainly located in Anatolia in West Asia, with a relatively small part called East Thrace in Southeast Europe. It borders the Black Sea to the north; Georgia (country), Georgia, Armen ...

in May 2024. He is currently detained pending possible extradition to the United States, where he also faces charges linked to the 2021 T-Mobile breach. Court documents also reference a third unnamed individual, known only by the alias ''Reddington'', who allegedly acted as an intermediary between the hackers and victim organizations.

Security implications

The breach drew attention to widespread security misconfigurations and insufficient enforcement of multi-factor authentication across cloud platforms. It also raised concerns over third-party risk and the need for tighter access controls and credential hygiene within cloud ecosystems.

References

{{reflist, 2 Data breaches Data breaches in the United States Security breaches