WWW
Contractor Laptop
Contractor Laptop
Stolen Credentials
Stolen Credentials
Snowflake User
Snowflake User
Snowflake Warehouse
Snowflake Warehouse
Attacker Storage
Attacker Storage
Operator arrest
Operator arrest
SCN-004 / Infostealer + No MFA + Stale Credentials / 2024

Snowflake 2024

Credentials harvested by infostealer malware on contractor laptops - some dating to 2020 - were replayed against Snowflake accounts without MFA. 165 customer instances impacted; AT&T, Ticketmaster, Santander, LendingTree among named victims.
165
orgs impacted
79.7%
creds previously exposed
0
MFA enforcement
4+ yrs
oldest creds (2020)
UNC5537 · Moucka arrested 2024
Attackers did not break in - they logged in with credentials stolen from developer laptops as far back as 2020, because MFA was not required at the tenant level.
$28M+
Exposure
$28M of AT&T's $177M settlement (preliminary June 2025); Ticketmaster MDL still active
4 years
Time to detect
earliest infostealer infection Nov 2020; Mandiant alerted Snowflake May 22 2024
Enforce MFA
Fix complexity
tenant-level MFA + network allow-lists per Mandiant top recommendations
Ask your team this Friday
Which of our SaaS data warehouses (Snowflake, Databricks, BigQuery) allow username+password authentication without enforced MFA at tenant policy level?
Audit my environment
Select scenario
TEXT
STEP 01 UNC5537 sources credentials from infostealer logs
Logs harvested across multiple stealer families (Mandiant attribution)
1# Mandiant-named infostealer families used as the input source for UNC5537:
2  - VIDAR
3  - RISEPRO
4  - REDLINE
5  - RACOON STEALER
6  - LUMMA
7  - METASTEALER
8
9# Distribution: Russian-language criminal markets + Telegram channels.
10# Credential age: some logs dated to 2020 - 4+ years stale at time of use.
Out-of-band initial access · the credentials were not stolen from Snowflake - they were stolen from contractors, developers and personal devices whose browsers had saved them.
1 / 7
7 nodes 6 edges physics: d3-force-3d schema v1.0 render: static
← back
Executive briefing · blast-audit

Snowflake 2024

Credentials harvested by infostealer malware on contractor laptops - some dating to 2020 - were replayed against Snowflake accounts without MFA. 165 customer instances impacted; AT&T, Ticketmaster, Santander, LendingTree among named victims.
Attackers did not break in - they logged in with credentials stolen from developer laptops as far back as 2020, because MFA was not required at the tenant level.
$28M+
Exposure
$28M of AT&T's $177M settlement (preliminary June 2025); Ticketmaster MDL still active
4 years
Time to detect
earliest infostealer infection Nov 2020; Mandiant alerted Snowflake May 22 2024
Enforce MFA
Fix complexity
tenant-level MFA + network allow-lists per Mandiant top recommendations
Ask your team this Friday
Which of our SaaS data warehouses (Snowflake, Databricks, BigQuery) allow username+password authentication without enforced MFA at tenant policy level?
blast-audit · HAIT haitmg.pl
demo state
Export

Generate audit report

Self-contained snapshot of this scenario - step-by-step chain, fixes, ATT&CK mappings, threat actor context.
Click to highlight toxic edges
What if…
node label
Remove this node
Strip outgoing permissions
Reset to original R
REMOVING NODE - saves 0 nodes Esc · R
Right-click any node to test a fix
BREAK POINT
Cut this edge → -- nodes unreachable
Fix: --