Credential theft
Santander Bank data breach via Snowflake (UNC5537 / ShinyHunters)
Primary Source βIncident Details
UNC5537 accessed a third-party Snowflake-hosted database used by Santander. Breach began April 17, discovered May 10, disclosed May 14. ShinyHunters listed data on BreachForums claiming 6 million account numbers, 28 million credit card numbers from Chile/Spain/Uruguay customers, plus all current and former staff globally. Maine AGO notified of 12,786 US employees’ SSNs and payroll account numbers exposed. No transactional data or login credentials compromised. Part of the broader 165-organisation Snowflake campaign.
Technical Details
- Initial Attack Vector
- CWE-307: Improper Restriction of Excessive Authentication Attempts (stolen credentials reused against Snowflake tenant with no MFA)
- Vendor / Product
- Snowflake cloud data platform / Santander third-party database
Timeline
- 2024-04-17 Breach occurred
- 2024-05-14 Publicly disclosed
- 2024-06-01 Customers notified