Anatomy of a Breach

Anatomy of a Breach: The Snowflake Campaign — Ticketmaster, Santander, and AT&T All Hit Through Stolen Credentials Without MFA

> series: anatomy_of_a_breach —— part: 185 —— platform: snowflake —— victims: ticketmaster_560M_santander_30M_att_110M —— root_cause: no_mfa<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2024 15 min read
snowflake ticketmaster santander att infostealer no-mfa cloud-platform series
Breach #185

Ticketmaster 560M. Santander 30M. AT&T 110M. All through Snowflake accounts without MFA.

In May-June 2024, a threat actor (tracked as UNC5537) systematically accessed Snowflake cloud data platform accounts belonging to approximately 165 organisations using credentials stolen through infostealer malware. The compromised accounts did not have multi-factor authentication enabled. The campaign yielded some of the largest data thefts of the year: Ticketmaster (approximately 560 million customer records), Santander (approximately 30 million), and — disclosed separately in July — AT&T (call and text metadata for approximately 110 million customers over a six-month period).

The credentials had been stolen by infostealer malware — Vidar, RedLine, and similar — installed on employees' personal devices or unmanaged computers. The stolen credentials were then sold on dark web marketplaces and used to log directly into Snowflake accounts that lacked MFA. Snowflake itself was not breached — the platform's own infrastructure was not compromised. The failures were entirely on the customer side: stolen credentials, no MFA, and no session monitoring. The campaign was the most consequential demonstration of the MFA imperative in the history of this series — affecting over 700 million people through a single, preventable authentication failure.

No MFA. 700 Million People.
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The same lesson. Sixteen years. Still not learned.

MFA Would Have Prevented Everything
Every single compromise in the Snowflake campaign was through accounts without MFA. With MFA enabled, the stolen credentials would have been worthless. <a href="/cyber-essentials">Cyber Essentials Danzell</a> makes MFA an auto-fail criterion — the most important single control in cybersecurity, validated by sixteen years of this series.
Infostealer Malware on Personal Devices
The credentials were stolen by infostealer malware on employees' personal or unmanaged devices — highlighting the risk of BYOD and personal device usage for corporate access. <a href="/cyber-essentials">Cyber Essentials</a> addresses device management requirements. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for credential use from unmanaged devices.
Cloud Platform Security Is Your Responsibility
Snowflake was not breached — its customers' accounts were. Cloud platform security is a shared responsibility: the platform provider secures the infrastructure; the customer secures authentication and access. Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> assess authentication controls on cloud platforms.
700 Million+ People Affected
Ticketmaster (560M), AT&T (110M), Santander (30M), and others — the combined impact exceeded 700 million individuals. The Snowflake campaign was the most impactful credential-based attack in history, surpassing even <a href="/blog/anatomy-of-a-breach-collection-1">Collection #1's</a> downstream impact. <a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects stolen credentials before they are used.
Sixteen Years. One Lesson.

MFA. The single control that keeps preventing the largest breaches in history.

The Snowflake campaign is the definitive case for MFA. Sixteen years of the Anatomy of a Breach series — 185 articles — and the single most impactful control remains multi-factor authentication. Every major breach in 2024 that involved credential compromise — Microsoft/Midnight Blizzard, Change Healthcare, and the Snowflake campaign — exploited accounts without MFA. Cyber Essentials Danzell makes MFA an auto-fail criterion because the evidence from 185 articles over sixteen years is irrefutable. Our penetration testing validates MFA enforcement. SOC in a Box monitors for credential compromise. And UK Cyber Defence provides incident response when authentication fails.

MFA. Now. Everywhere.

700 million people affected through Snowflake accounts without MFA. Is MFA enforced on every account in your organisation?

<a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA. <a href="/penetration-testing">Penetration testing</a> validates enforcement. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for credential theft.

Commission a Security Assessment Next: Synnovis / NHS London
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2025

Anatomy of a Breach: 16 Billion Credentials Leaked — The Infostealer Aggregation That Dwarfed Collection #1

Breach #203. In mid-2025, researchers uncovered 30 exposed datasets containing more than 16 billion login credentials — including passwords for Google, Apple, Facebook, Telegram, GitHub, and government services. The datasets were not from a single breach but from a massive aggregation of credentials stolen by infostealer malware and compiled from earlier breaches. The compilation dwarfed Collection #1's 773 million credentials (2019) by a factor of twenty. While no single platform was breached, the aggregation itself was as dangerous as any individual breach — enabling industrial-scale credential stuffing and account takeover against every platform on the internet.

credential-leak 16-billion
13 min read
Anatomy of a Breach 31 December 2024

Anatomy of a Breach: 2024 Year in Review — Change Healthcare, CrowdStrike, Synnovis, and the Year MFA Could Have Prevented Everything

Breach #192 and the 2024 finale. The year Change Healthcare halted US healthcare payments through a Citrix portal without MFA (100 million affected, $22M paid), the Snowflake campaign exposed 700 million+ people through accounts without MFA, CrowdStrike's faulty update crashed 8.5 million systems in the largest IT outage in history, Synnovis ransomware cancelled thousands of NHS blood tests and surgeries in London, LockBit was taken down by UK-led Operation Cronos, Transport for London was attacked, Blue Yonder disrupted UK supermarket supply chains, and the US Treasury was breached through BeyondTrust by China's Silk Typhoon. Sixteen years. 192 articles. MFA remains the single most important control.

year-in-review 2024
16 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
All Posts Get in Touch