Snowflake: 165 Customers Breached via Stolen Credentials

In June 2024, Mandiant disclosed that a single threat actor tracked as UNC5537 had used credentials stolen by infostealer malware to access approximately 165 Snowflake customer environments. The campaign represented the single largest identity-based breach operation of 2024.

Crucially, Snowflake itself was not breached. Every compromise occurred because individual customers relied on single-factor authentication for a cloud data warehouse containing their most sensitive data. Over 80% of compromised accounts had credentials that had already appeared in prior breach databases. None of the affected accounts had MFA enabled.

The victim list reads like a Fortune 500 directory: AT&T (nearly all US customer call and text metadata), Ticketmaster (560 million records), Santander Bank, and Advance Auto Parts, among others.

This incident is the canonical example of a principle we emphasize at ATLAS Apex: your identity posture IS your security posture. No amount of network segmentation, endpoint detection, or data encryption compensates for the absence of basic identity controls on the systems that hold your most valuable data.

The Snowflake campaign also demonstrates the compounding effect of infostealer malware. Credentials stolen months or years earlier, sitting dormant in criminal marketplaces, were activated against high-value targets. Identity architecture must account for this reality. Credentials should be treated as compromised by default, and access decisions should never rest on a password alone.