= Snowflake data breach =

The Snowflake data breach refers to a large-scale cybersecurity incident in 2024 involving unauthorized access to customer cloud environments hosted on Snowflake Inc., a cloud-based data and AI platform.
 The breach affected numerous high-profile clients and has been regarded as one of the most significant data security incidents of the decade.

== Background ==
Snowflake Inc. provides a cloud data and AI platform widely adopted by large enterprises for storing and analyzing data. In 2024, it became the focal point of a major cyberattack campaign that compromised sensitive data from more than 100 of its customers.

== 2024 breach ==
In mid-2024, at least 160 organizations were reportedly targeted through vulnerabilities in how their Snowflake environments were configured and accessed. Affected companies included AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health.

The breach resulted in the theft of a wide range of sensitive data, such as:
- Personally Identifiable Information (PII)
- Medical prescriber DEA numbers
- Digital event tickets
- Over 50 billion call records from AT&T

The stolen data was allegedly used for extortion by the ShinyHunters extortion group, with hackers demanding ransoms from affected organizations in exchange for not leaking or selling the information.

=== Nature of the attack ===
Security investigations revealed that the attackers—members of a known hacking group referred to as UNC5537, Scattered Spider or ShinyHunters—accessed customer environments by exploiting stolen credentials obtained via infostealer malware. These credentials, which lacked multi-factor authentication (MFA) protection in many cases, allowed the attackers to log in to Snowflake customer instances directly using just a username and password.

A report by cybersecurity firm, Mandiant (a subsidiary of Google Cloud) outlined the method of extortion and scale of the incident, noting that over 160 customer environments may have been accessed.

== Impact and government response ==
The breach had particularly serious implications for AT&T, whose call and text message metadata involving nearly all U.S. customers was compromised. The breach prompted an unprecedented request from the U.S. Department of Justice, which asked AT&T to delay public disclosure due to national security and public safety concerns. Reports later confirmed that AT&T paid a ransom of $370,000 in an attempt to have the stolen data deleted.

== Arrests and attribution ==
In late 2024, law enforcement agencies in the United States and Canada identified and apprehended two core individuals allegedly responsible for the attack:

- Connor Riley Moucka, 25 (aliases: Waifu, Judische, Ellyel8), was arrested in Kitchener, Ontario, Canada on October 30, 2024. He faces multiple charges in Washington state, including conspiracy, computer fraud, extortion, and identity theft.
- John Erin Binns, 24 (aliases: IRDev, IntelSecrets), was arrested in Turkey in May 2024. He is currently detained pending possible extradition to the United States, where he also faces charges linked to the 2021 T-Mobile breach.

Court documents also reference a third unnamed individual, known only by the alias Reddington, who allegedly acted as an intermediary between the hackers and victim organizations.

== Security implications ==
The breach drew attention to widespread security misconfigurations and insufficient enforcement of multi-factor authentication across cloud platforms. It also raised concerns over third-party risk and the need for tighter access controls and credential hygiene within cloud ecosystems.

== See also ==
- List of data breaches
- T-Mobile data breach
- Scattered Spider
- ShinyHunters
