What Happened
Between April and June 2024, a threat actor tracked as UNC5537 systematically compromised over 165 Snowflake customer accounts using credentials stolen by infostealer malware. The campaign exploited a common weakness: Snowflake customer accounts that did not enforce multi-factor authentication. The resulting data theft affected hundreds of millions of individuals across organizations including Ticketmaster (560 million), AT&T (approximately 110 million), Santander (30 million), Advance Auto Parts (79 million), and LendingTree.
Snowflake itself was not breached. The attackers used legitimate credentials to log into customer-managed Snowflake instances.
How It Happened
UNC5537 obtained Snowflake customer credentials from infostealer malware logs including Vidar, RisePro, Redline, Lumma, and MetaStealer. Some credentials dated back to 2020. Attackers logged into Snowflake customer accounts using the stolen username and password combinations. Affected accounts did not have MFA enabled, and Snowflake did not require MFA by default at the time. Attackers used Snowflake’s native data export capabilities to steal large volumes of customer data. UNC5537 then attempted to extort victims, demanding payments of $300,000 to $5 million to prevent data publication.
Major Victims
Ticketmaster and Live Nation lost 560 million records containing customer names, emails, phone numbers, and payment card data. AT&T lost approximately 110 million records of call and text metadata for nearly all wireless customers. Santander Bank lost 30 million customer and employee account records. Advance Auto Parts lost 79 million records of customer data and employee information. LendingTree and QuoteWizard lost an unknown quantity of customer financial data. Neiman Marcus lost 31 million customer email addresses.
Timeline
The earliest identified unauthorized access to Snowflake customer accounts occurred on April 14, 2024. Mandiant began investigating after detecting the campaign in May 2024. The Ticketmaster breach was disclosed on May 20 when ShinyHunters listed 560 million records on BreachForums. Snowflake issued an advisory acknowledging the targeted campaign against customers on May 24. Mandiant published findings attributing the campaign to UNC5537 on June 10. AT&T disclosed its Snowflake-related breach affecting nearly all wireless customers on July 12. Snowflake announced MFA would be required by default for all new accounts in October 2024. Alexander “Connor” Moucka was arrested in Canada in November 2024 and linked to UNC5537. John Binns was arrested in Turkey that same month and linked to AT&T and T-Mobile breaches.
Root Cause
The Snowflake campaign was not a platform vulnerability. It was an identity security failure at scale. Snowflake did not require MFA for customer accounts, and many organizations did not enable it voluntarily. Many compromised credentials had been stolen months or years earlier by infostealer malware and were never rotated. Affected accounts did not restrict access to known corporate IP ranges. Snowflake considered account security a customer responsibility, while customers assumed the platform enforced basic security.
Industry Impact
Snowflake implemented mandatory MFA for all new accounts starting October 2024. The campaign triggered broader industry discussion about default security settings in SaaS platforms. Multiple class-action lawsuits were filed against both Snowflake and affected customers. The incident demonstrated that infostealer malware is a primary feeder for large-scale data theft campaigns. Mandiant attributed UNC5537 to individuals in North America and Turkey, not a nation-state group.
Key Lessons
MFA must be enforced by default on all cloud and SaaS platforms, as optional MFA is effectively no MFA. Credential monitoring for infostealer logs through services like Hudson Rock, Flare, and SpyCloud can provide early warning. IP allowlisting on cloud data platforms prevents unauthorized access even with valid credentials. The shared responsibility model requires explicit security baselines that both vendor and customer agree to enforce.