Credential theft
Snowflake UNC5537 Mass Customer Breach Campaign
Primary Source βIncident Details
UNC5537 compromised approximately 165 Snowflake customer tenants in a mass credential-stuffing campaign from April 2024. Known victims include AT&T (110M records), Ticketmaster (560M), Santander, Neiman Marcus, LendingTree/QuoteWizard, LAUSD, Pure Storage, Advance Auto Parts, and Cylance. Credentials dated back to 2020. Connor Moucka (‘judische’) arrested Canada October 2024; John Erin Binns arrested Turkey. Mandiant (Google) published detailed threat intelligence report on UNC5537. Snowflake itself was not breached; all compromised accounts lacked MFA.
Technical Details
- Initial Attack Vector
- UNC5537 (Scattered Spider / ShinyHunters) used credentials harvested by infostealer malware (Lumma, Vidar, RedLine, RisePro, Raccoon) to log into Snowflake customer accounts that lacked MFA; no breach of Snowflake's own platform
- Vendor / Product
- Snowflake (cloud data warehouse)
- Malware Family
- Lumma; Vidar; RedLine; RisePro; Raccoon (infostealers used to harvest credentials)
Timeline
- 2024-04-01 Breach occurred
- 2024-05-30 Publicly disclosed
- 2024-06-01 Customers notified