Credential theft
Mandiant / Wikipedia / CNBC / BleepingComputer
Primary Source βIncident Details
UNC5537 / Scattered Spider / ShinyHunters used credentials stolen by infostealer malware (some dating back to Nov 2020) to access 160+ Snowflake customer environments lacking MFA. Major victims: Ticketmaster (560M records), AT&T (call/text records of ~110M customers), Santander, LendingTree, Advance Auto Parts, Neiman Marcus. Mandiant found 79.7% of compromised accounts used infostealer-stolen creds. Connor Moucka (Waifu/Judische) arrested Oct 2024 in Canada. $2M+ extorted from victims.
Technical Details
- Initial Attack Vector
- CWE-522: Insufficiently Protected Credentials (infostealer-harvested credentials used against Snowflake instances lacking MFA)
- Vendor / Product
- Snowflake cloud data platform
- Malware Family
- Redline Stealer / Lumma Stealer / Vidar / Raccoon Stealer / Risepro
Timeline
- 2024-04-01 Breach occurred
- 2024-05-30 Publicly disclosed
- 2024-06-01 Customers notified