Snowflake data breach

The Snowflake data breach refers to a large-scale cybersecurity incident in 2024 involving unauthorized access to customer cloud environments hosted on Snowflake Inc., a cloud-based data warehousing platform.
The breach affected numerous high-profile clients and has been regarded as one of the most significant data security incidents of the decade.

Background

Snowflake Inc. provides a cloud data platform widely adopted by large enterprises for storing and analyzing data. In 2024, it became the focal point of a major cyberattack campaign that compromised sensitive data from more than 100 of its customers.

2024 breach

In mid-2024, at least 160 organizations were reportedly targeted through vulnerabilities in how their Snowflake environments were configured and accessed. Affected companies included AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health.
The breach resulted in the theft of a wide range of sensitive data, such as:

Personally Identifiable Information
Medical prescriber DEA numbers
Digital event tickets
Over 50 billion call records from AT&T

The stolen data was allegedly used for extortion by the ShinyHunters extortion group, with hackers demanding ransoms from affected organizations in exchange for not leaking or selling the information.

Nature of the attack

Security investigations revealed that the attackers—members of a known hacking group referred to as or Scattered Spider or ShinyHunters accessed customer environments by exploiting stolen credentials obtained via infostealer malware. These credentials, which lacked multi-factor authentication protection in many cases, allowed the attackers to log in to Snowflake customer instances directly using just a username and password.
A report by cybersecurity firm, Mandiant outlined the method of extortion and scale of the incident, noting that over 160 customer environments may have been accessed.

Impact and government response

The breach had particularly serious implications for AT&T, whose call and text message metadata involving nearly all U.S. customers was compromised. The breach prompted an unprecedented request from the U.S. Department of Justice, which asked AT&T to delay public disclosure due to national security and public safety concerns. Reports later confirmed that AT&T paid a ransom of $370,000 in an attempt to have the stolen data deleted.

Arrests and attribution

In late 2024, law enforcement agencies in the United States and Canada identified and apprehended two core individuals allegedly responsible for the attack:

Connor Riley Moucka, 25, was arrested in Kitchener, Ontario, Canada on October 30, 2024. He faces multiple charges in Washington state, including conspiracy, computer fraud, extortion, and identity theft.
John Erin Binns, 24, was arrested in Turkey in May 2024. He is currently detained pending possible extradition to the United States, where he also faces charges linked to the 2021 T-Mobile breach.

Court documents also reference a third unnamed individual, known only by the alias Reddington, who allegedly acted as an intermediary between the hackers and victim organizations.

Security implications

The breach drew attention to widespread security misconfigurations and insufficient enforcement of multi-factor authentication across cloud platforms. It also raised concerns over third-party risk and the need for tighter access controls and credential hygiene within cloud ecosystems.