Decipher Files: The Snowflake Credential-Stuffing Campaign and Why MFA-Optional Was the Real Vulnerability

Snowflake confirmed on June 2, 2024 (Snowflake CISO Brad Jones blog post) that "a limited number of Snowflake customer accounts" had been targeted by what was eventually identified as a credential-stuffing campaign. Mandiant's June 10, 2024 report (UNC5537 attribution) and Snowflake's joint statement with Mandiant and CrowdStrike documented the technical anatomy: actors used credentials harvested from infostealer malware (Vidar, Lumma, Risepro, Redline, Raccoon, Atomic, Stealc) infections that in some cases dated back to November 2020. The credentials were valid because the affected Snowflake accounts had not enabled multi-factor authentication, and Snowflake's password rotation policy did not invalidate the still-valid passwords.

The disclosure cascade ran across the second and third quarters of 2024. AT&T disclosed on July 12, 2024 (AT&T 8-K filing) that "nearly all" of its wireless customer call and text records (approximately 109 million records) had been exfiltrated from a Snowflake-hosted database. Ticketmaster's parent Live Nation disclosed via 8-K on May 31, 2024, approximately 560 million customer records. Santander Bank confirmed on May 14, 2024 unauthorized access to a database hosted at "a third-party provider" (later confirmed by Bloomberg reporting to be Snowflake) affecting customers in Chile, Spain, and Uruguay. Mandiant's running tally reached 165 affected tenants by August 2024.

The technical anatomy is uncommonly clean. Mandiant's UNC5537 report establishes:

1. Credentials were harvested from infostealer infections on customer or contractor endpoints, in some cases years before the Snowflake exploitation. Approximately 80 percent of the harvested credentials predated 2024. 2. Snowflake's authentication surface accepts username and password as the only authentication factor when MFA is not configured. The platform's documentation as of early 2024 described MFA as an optional feature. 3. Once authenticated, the actor used native Snowflake commands (LIST DATABASE, EXPORT DATA) to enumerate and exfiltrate without triggering anomaly-based detection. The legitimate user's role-based access typically had broad SELECT permissions. 4. Data was exfiltrated to attacker-controlled S3 buckets in many cases, leveraging Snowflake's first-party AWS integration in a way that did not look anomalous to platform monitoring.

Snowflake's response, documented in their July 9, 2024 announcement, made MFA mandatory for new admin accounts, deprecated single-factor password authentication on the roadmap (eventually mandatory by April 2025 per Snowflake's October 2024 customer notification), and added trust-center features for customers to verify their own posture.

Four lessons for cybersecurity practitioners:

First, MFA-optional on a SaaS platform is a structural defect, not a customer choice. The platform's worst-customer becomes the platform's published vulnerability. NIST SP 800-63B Rev. 4 explicitly downgrades single-factor SMS-based authentication and prescribes phishing-resistant MFA as the baseline for "AAL2" assurance. Snowflake-the-platform was MFA-optional by default through the Snowflake-the-customer's onboarding flow as late as 2024; that gap explains the breach more than any individual customer's poor hygiene.

Second, the infostealer ecosystem has changed the credential-compromise model. Specops Software's 2024 Breached Password Report documented that 31 million unique credentials were harvested by infostealers in 2023 alone; the 2024 report (published February 2025) reached 60 million. Long-tail credentials harvested years ago remain valid because rotation cadences across SaaS platforms drift. Cybersecurity programs that rely on "annual password change" as their compromise countermeasure are structurally exposed.

Third, the SaaS-platform-to-customer responsibility split is contested. Snowflake's position throughout the public communication was that the breach was "a customer responsibility" because customers had not enabled MFA. The cybersecurity community's response, anchored by CISA's Secure-by-Design pledge and the FTC's section-5 enforcement posture, increasingly rejects that framing. The platform's defaults are part of the platform's product. AT&T paid an alleged $370,000 ransom (Wired, July 14, 2024) to delete the stolen data; the ransom did not deliver any structural change to AT&T's posture but did transfer wealth to the actors.

Fourth, downstream concentration risk through SaaS infrastructure is now the largest single category of supply-chain exposure most enterprises carry. Approximately 1 in 4 Fortune 500 companies use Snowflake for at least one critical data workload (Snowflake 2024 10-K filing, p. 6). The Snowflake credential-stuffing campaign is, structurally, the SaaS-era equivalent of the Equifax breach; the dependency is concentrated, the trust assumptions are inherited, and the failure mode is non-diversifiable.

For careers: SaaS security engineers, IAM engineers, and incident responders study UNC5537 because the attack pattern is repeatable across every multi-tenant SaaS platform that allows password-only authentication. The role of "SaaS security engineer" as a discipline grew measurably in the 6 months after the Snowflake disclosures.