2024 Snowflake Inc data breach
In 2024, two hackers affiliated with the hacking group UNC5537 aka Scattered Spider successfully accessed and stole information from Snowflake customer cloud instances [1] [2].
The hackers leveraged login credentials obtained from infostealers to access huge volumes of sensitive customer data uploaded to Snowflake accounts. These accounts were accessed using only a username and password, with no required form of multi-factor authentication[3]. Data on more than 160 Snowflake customers was stolen, including AT&T, LiveNation / TicketMaster, Santander, Lending Tree, Advance Auto Parts, Neiman Marcus, and Bausch Health [4] [5].
A report on the extortion attacks from Mandiant notes that Snowflake victim companies were privately approached by the hackers, who demanded a ransom in exchange for a promise not to sell or leak the stolen data [6]. The data stolen from different organizations included personal information on American citizens, more then 50 billion call logs from AT&T [7][2], medical prescriber DEA numbers, and private customer banking information [8].
Group Members
[edit]The group consisted of two core members.
Waifu
[edit]Connor Riley Moucka, 25, (aliases: Waifu, Judische, Ellyel8). Moucka was arrested by Kitchener, Ontario, Canada, police (at the request of the U.S.) on October 30, 2024. A Washington state court has issued an indictment on charges of conspiracy, computer fraud and abuse, extortion, and aggravated identity theft [8][9]. Moucka is currently awaiting trial for extradition to the United States [10].
IRDev
[edit]John Erin Binns (alias IRDev, IntelSecrets), 24, was arrested in Turkey in late May 2024, and currently resides in a Turkish prison [11]. Binns is currently facing the threat of extradition to the United States, where he is currently wanted on criminal hacking charges tied to the 2021 T-Mobile data breach [12].
References
[edit]- ^ Novet, Jordan (2024-07-12). "AT&T's massive data breach deepens crisis for Snowflake seven weeks after hack was disclosed". CNBC. Retrieved 2024-12-24.
- ^ a b Franceschi-Bicchierai, Lorenzo (2024-11-12). "Snowflake hackers identified and charged with stealing 50 billion AT&T records". TechCrunch. Retrieved 2024-12-24.
- ^ Whittaker, Zack (2024-06-05). "Hundreds of Snowflake customer passwords found online are linked to info-stealing malware". TechCrunch. Retrieved 2024-12-24.
- ^ Burgess, Matt. "The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever". Wired. ISSN 1059-1028. Retrieved 2024-12-24.
- ^ "Advance Auto Parts stolen data for sale after Snowflake attack". BleepingComputer. Retrieved 2024-12-24.
- ^ "UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion". Google Cloud Blog. Retrieved 2024-12-24.
- ^ Zetter, Kim. "AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records". Wired. ISSN 1059-1028. Retrieved 2024-12-24.
- ^ a b "Charges Unsealed Against Alleged Hackers of Snowflake Customers". Bloomberg.com. 2024-11-11. Retrieved 2024-12-24.
- ^ Monga, Robert McMillan and Vipal. "He Investigates the Internet's Most Vicious Hackers—From a Secret Location". WSJ. Retrieved 2024-12-24.
- ^ "Snowflake-Indc". www.documentcloud.org. Retrieved 2024-12-25.
- ^ "Snowflake Hacker Still Active, Finding New Victims, Expert Says". Bloomberg.com. 2024-09-20. Retrieved 2024-12-24.
- ^ "Canadian Man Arrested in Snowflake Data Extortions – Krebs on Security". 2024-11-05. Retrieved 2024-12-24.