Credential Attackscritical

Snowflake Credential Theft: Ticketmaster, AT&T, and 160 Others Breached via Stolen Logins

A hacking group used infostealer malware logs to collect Snowflake login credentials from data engineers' laptops, then accessed customer databases directly — no hacking required, just valid usernames and passwords.

Snowflake / Ticketmaster / AT&T·2024·2 min read

Attack Chain

  1. 1
    Infostealer malware infects contractor
  2. 2
    Credentials stolen (no MFA)
  3. 3
    Snowflake accounts accessed
  4. 4
    160+ customer databases exfiltrated
  5. 5
    Ticketmaster, AT&T data listed for sale

Background

Snowflake is a cloud data warehousing platform used by thousands of major corporations to store and query large datasets. Many customers stored highly sensitive data — customer records, call logs, payment data — in Snowflake, relying on Snowflake's own security rather than implementing additional controls.

The Attack

The attackers — a group called ShinyHunters and an associate known as Judische — purchased logs from infostealer malware that had infected data engineers' personal laptops. These logs contained the Snowflake credentials stored in browser profiles and credential managers. Because most Snowflake tenants had not enabled MFA, the valid credentials provided direct database access. Using a custom tool called "RapeFlake," they systematically connected to Snowflake instances and exfiltrated data. Victims included Ticketmaster (560 million records), AT&T (110 million customers' call records), Advance Auto Parts, and at least 160 other organisations.

Response

Snowflake issued guidance urging all customers to enable MFA and review connected third-party application access. The platform itself was not breached — the attackers used legitimate credentials. AT&T paid $370,000 to the attacker to delete its data. Two suspects were arrested, including one while attempting to enter Canada.

Outcome

The case illustrated that cloud platform breaches increasingly happen through compromised credentials, not platform vulnerabilities. Snowflake subsequently made MFA mandatory for all new accounts. The scale — 160+ organisations breached simultaneously — demonstrated the leverage available to attackers who can harvest credentials at scale.

Key Takeaways

  1. Enforce MFA on all cloud data platform accounts — no exceptions for legacy or service accounts
  2. Infostealer malware on developer laptops is a direct path to corporate cloud environments
  3. Cloud tenants cannot rely solely on platform security — implement your own access controls and MFA
  4. Credential hygiene across personal and corporate devices matters — browser-stored passwords are vulnerable

How to Prevent This

All guides
beginner

Require MFA for all cloud console access — delete root API keys immediately

AWS root account credentials with no MFA are a single compromised email away from complete account loss. The AWS root account should never be used for day-to-day operations, should have a hardware MFA token attached, and its access keys should be deleted entirely. All IAM users with console access require MFA. Enforce this with an IAM policy that denies all actions unless MFA is present. The Snowflake credential theft campaign in 2024 targeted cloud platform accounts where MFA was not enforced — attackers used credentials obtained from infostealer malware to log in to cloud consoles directly.

See: Snowflake Credential TheftCloud Security
infostealercredential theftSnowflakecloud databaseMFA bypass

More in Credential Attacks

2009high

RockYou: 32 Million Plaintext Passwords Teach the World About Password Storage

2 min readCredential Attacks
2012high

Dropbox 2012: 68 Million Passwords Exposed Because an Employee Reused a Password

2 min readCredential Attacks
2019high

Collection #1: 773 Million Unique Credentials Dumped in One Post

2 min readCredential Attacks