Snowflake Customer Accounts Breached in Credential-Theft Campaign
A broad intrusion campaign compromised Snowflake customer environments including Ticketmaster, Santander and AT&T after attackers used credentials stolen by infostealer malware or bought on criminal forums, rather than exploiting a flaw in Snowflake itself. Reporting tied the activity to ShinyHunters, which advertised allegedly stolen data from Ticketmaster and Santander, while Mandiant said many affected accounts lacked multifactor authentication and that more than 100 customer environments were targeted. AT&T said the attackers accessed its Snowflake environment in April and stole call and text metadata for nearly 110 million customers, including numbers contacted, interaction counts and aggregate call durations, but not message content.
The campaign evolved from data theft into extortion, with victims receiving ransom demands and law enforcement pursuing suspects tied to the operation. Canadian authorities arrested a man from Kitchener, Ontario, in connection with the Snowflake hacking and extortion scheme, and reporting later indicated another suspected participant may have been a U.S. soldier. Government agencies including Australia’s Signals Directorate and U.S. investigators were drawn into the response, and AT&T said disclosure of its breach was temporarily delayed at the request of the FBI and DOJ because of national security and public safety concerns.
How this story unfolded
17 events from the most recent confirmed update back to the earliest known activity.
Neiman Marcus identified as Snowflake breach victim
BlackFog's account of the Snowflake campaign lists Neiman Marcus among the publicly identified organizations affected by the customer-environment compromises. This adds a new named victim beyond those already captured in the existing timeline.
CBC reports extradition risk for arrested Canadian suspect
CBC reported that the Kitchener, Ontario man arrested over the Snowflake hacking scheme could face extradition to the United States. The development showed the case progressing beyond arrest toward potential prosecution.
Krebs reports second suspect may be a U.S. soldier
Further reporting identified another alleged participant in the Snowflake extortion activity and said the suspect may be a U.S. soldier. This expanded public attribution around the people allegedly involved in the campaign.
Canadian suspect arrested in Snowflake data extortions
A Canadian man was arrested in connection with the Snowflake data extortion campaign. The arrest represented a significant law enforcement action in the investigation into the breaches and related extortion attempts.
CyberScoop reports Snowflake breach actor remains active
Reporting indicated that a hacker tied to the Snowflake customer data breaches was still active months after the initial disclosures. This marked a continuing operational threat beyond the first wave of victim notifications.
AT&T reportedly pays hacker to delete stolen call records
WIRED reported that AT&T paid a hacker about $370,000 in cryptocurrency in an effort to secure deletion of data stolen from its Snowflake environment. The payment marked a specific post-breach extortion response by AT&T beyond its earlier public disclosure of the incident.
AT&T discloses breach affecting nearly 110 million customers
AT&T disclosed that a cyberattack against its Snowflake environment exposed call and text metadata for roughly 110 million customers. The stolen records covered a six-month period ending October 31, 2022, plus records from January 2, 2023, but not message contents or customer names.
Mandiant links Snowflake campaign to stolen credentials and missing MFA
Mandiant reported that the Snowflake intrusions were driven by stolen credentials harvested from non-Snowflake systems and that affected accounts generally lacked multifactor authentication. Reporting said more than 165 Snowflake customers did not use MFA, underscoring the campaign's scale and cause.
Pure Storage confirms breach tied to Snowflake account hack
Pure Storage confirmed that attackers accessed data through a compromised Snowflake account, making it another publicly identified victim in the broader Snowflake customer compromise campaign. The disclosure added a new affected organization beyond those already named publicly.
Snowflake breach victims receive ransom demands
Reporting said victims of the Snowflake data breach campaign were receiving ransom demands. This reflected a later-stage monetization and extortion phase affecting organizations compromised in the earlier intrusions.
Advanced Auto Parts and LendingTree linked to Snowflake breaches
WIRED reported that Advanced Auto Parts and LendingTree were among the organizations affected in the Snowflake customer compromise campaign. The report expanded the known victim list beyond Santander and Ticketmaster, indicating the breach wave was broader than initially disclosed.
Australian Signals Directorate confirms several Snowflake compromises
Australia's Signals Directorate said it was aware of successful compromises involving several companies using Snowflake environments. This added government confirmation that the activity extended beyond the initially named victims.
Snowflake says multiple customer accounts were compromised
Snowflake disclosed that accounts belonging to multiple customers were compromised after threat actors used credentials obtained via infostealer malware or bought on cybercrime forums. The company said the activity was not due to a vulnerability in Snowflake's platform itself.
Ticketmaster confirms breach tied to Snowflake environment
Ticketmaster parent Live Nation confirmed a recently disclosed breach and identified Snowflake as the third-party cloud provider involved. The incident was publicly linked to the same campaign affecting other Snowflake customers.
Santander discloses customer and employee data breach
Santander disclosed that data belonging to millions of customers and all current and some former employees had been hacked. Reporting linked the incident to compromises of Snowflake customer environments.
AT&T discovers Snowflake data theft and starts response
AT&T said it discovered the theft on April 19, 2024, and began incident response with third-party cybersecurity experts. Subsequent public disclosure was delayed after FBI and DOJ requests tied to national security and public safety concerns.
Attackers access AT&T Snowflake environment
AT&T said attackers accessed its Snowflake environment between April 14 and April 25, 2024, as part of the broader Snowflake customer compromise campaign. The intrusion led to theft of call and text metadata affecting nearly all of AT&T's wireless customers.
Sources
22 references tracked. Mallory keeps watching after this page renders.
Snowflake Data Breach Explained: Timeline, Impact, and Key Lessons | BlackFog
blackfog.com
Open sourceVictims of Snowflake Data Breach Receive Ransom Demands
bankinfosecurity.com
Open sourceKitchener, Ont., man arrested in massive Snowflake hacking scheme faces possible extradition to U.S. | CBC News
cbc.ca
Open sourceHacker in Snowflake Extortions May Be a U.S. Soldier - Krebs on Security
krebsonsecurity.com
Open sourceSnowflake account hacks linked to Santander, Ticketmaster breaches
bleepingcomputer.com
Open sourceLive Nation confirms Ticketmaster was hacked, says personal information stolen in data breach | TechCrunch
techcrunch.com
Open sourceCloud company Snowflake denies that reported breach originated with its products | The Record from Recorded Future News
therecord.media
Open sourceAll Santander staff and millions of customers have data hacked
bbc.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Stolen SaaS Integration Tokens Fuel Data Theft at Snowflake Customers
A breach at a third-party SaaS integration provider allegedly exposed authentication tokens that were then used to steal data from more than a dozen companies, with most of the activity targeting **Snowflake** customer environments. Snowflake said it detected unusual activity affecting a small number of customers tied to a specific third-party integration and emphasized that its own platform was not compromised through a vulnerability. Reporting identified the suspected source as **Anodot**, a data anomaly detection company owned by Glassbox, though neither company publicly responded at the time. The threat actor identified as **ShinyHunters** claimed responsibility, saying it stole data from dozens of organizations and sought extortion payments to prevent publication of the information. The campaign reportedly also targeted other cloud and SaaS providers, while an attempted theft involving **Salesforce** was said to have been blocked by AI-based detection. **Google Threat Intelligence Group** said it was tracking the incident, and **Payoneer** said it was aware of the provider breach linked to Anodot but had determined it was not affected.
Apr 29, 2026
ShinyHunters Extorts Charter and ZenBusiness After SaaS Account Breaches
Charter Communications confirmed a data breach after **ShinyHunters** threatened to leak allegedly stolen data, with the group claiming it accessed the company on April 1 through a voice-phishing attack that compromised an employee's Microsoft Entra account and opened a path into Charter's Salesforce environment. The attackers said they stole **40 million customer records**, including names, contact details, plan information, support ticket data, and some customer proprietary network information, while Charter said it notified authorities and, based on the data published, no sensitive personal information or CPNI was exfiltrated. The Charter incident follows a broader ShinyHunters extortion campaign targeting enterprise single sign-on accounts and connected SaaS platforms, especially **Salesforce**. In a separate case, the group claimed it stole several terabytes of data from **ZenBusiness** via platforms including Salesforce, Snowflake, and Mixpanel, and threatened to publish the data unless the company responded. Reporting also linked the campaign to claims involving Ameriprise Financial, Infinite Campus, Bumble, Hinge, Match, OkCupid, Mercer Advisors, Beacon Pointe Advisors, and attacks affecting Instructure's Canvas platform, underscoring a repeatable pattern of social engineering, SaaS data theft, and leak-site extortion.
May 30, 2026
ADT Confirms Customer Data Breach After ShinyHunters Extortion Claim
ADT disclosed that attackers gained unauthorized access to certain cloud-based environments and stole customer and prospective customer data, prompting the company to activate incident response measures, engage forensic specialists, notify law enforcement, and contact affected individuals. The exposed information included names, phone numbers, and home addresses, with dates of birth and the last four digits of Social Security numbers or Tax IDs affected in a smaller number of cases; ADT said payment information was not accessed and customer home security systems were not impacted. The disclosure followed claims by the **ShinyHunters** extortion group that it had stolen more than 10 million records and internal corporate data and would leak the information if its demands were not met. Reporting tied the intrusion to a suspected vishing attack that allegedly compromised an employee's **Okta** single sign-on account and enabled access to ADT's **Salesforce** environment, matching a broader pattern in which the group targets enterprise SSO accounts and connected SaaS platforms to steal data for extortion.
May 6, 2026