AT&T's Snowflake Breach: 300M Records and the Identity Gap
Threat Intelligence
AT&T's 2024 call detail record breach exposed nearly every customer's communication metadata. The vector was not the telco, it was a Snowflake tenant without MFA.
By Arjun Raghavan, Security & Systems Lead, BIPI · May 9, 2024 · 8 min read
In April 2024, AT&T discovered that call and text records covering nearly every customer between May and October 2022, plus a slice of January 2023, had been exfiltrated from a third-party cloud workspace. That workspace was a Snowflake tenant. AT&T was one of more than 165 organizations hit in the same wave that also touched Ticketmaster, Santander, Advance Auto Parts, Neiman Marcus, and others. The vector was uniform across victims: customer Snowflake instances accessed with stolen credentials and no MFA enforcement.
Timeline
Mandiant traced the credential harvest to infostealer logs going back years (some as old as 2020), sold through Russian Market and similar shops. The threat actor cluster Mandiant tracked as UNC5537 began systematically logging into Snowflake customer tenants in mid-April. AT&T was notified on April 19 that data had been exfiltrated. AT&T disclosed publicly on July 12 after a DOJ-approved delay to allow investigation. Snowflake's own analysis confirmed there was no breach of Snowflake's platform: every victim was compromised through stolen customer credentials on accounts without MFA.
Root cause: identity as a single factor
The Snowflake wave is the cleanest case study in identity-only security failure we have seen at this scale. Snowflake supported MFA. Snowflake supported network policies. Snowflake supported SSO. Customers did not turn those features on. The actor used credentials harvested from infostealers running on individual employee laptops (often personal devices used for work) and logged into corporate data warehouses with username and password. No exploit, no zero-day, no novel TTP. Just identity hygiene gaps at scale.
What 300 million CDR records reveal
Call detail records are not call content. They are metadata: which numbers called which numbers, when, for how long, and from which cell sites. That data is famously sensitive precisely because it does not need content to compromise people. Patterns of contact reveal organizational structure, source-journalist relationships, romantic affairs, medical visits, legal counsel, political activity. Cell site fields, included for some records, reveal physical location. For nearly every AT&T customer, the actor walked away with six months of life patterns. That is the kind of data nation-state services historically had to wiretap for; it was sitting in a Snowflake table behind a password.
Detection
Snowflake telemetry caught this when it was looked at. The login records showed sessions from residential proxies and VPS providers that did not match the customer's normal pattern. The query patterns were enormous SELECTs against tables that normally served dashboards. The destination IPs for COPY INTO operations were attacker-controlled buckets. None of these are subtle signals, and Snowflake-native and CASB-based detections existed for all of them. The gap was that nobody was running them on the warehouse.
Lessons
First, infostealer hygiene is now a corporate-data problem, not just a consumer problem. Any employee who logs into corporate systems from a device that runs unknown software is a path into your data warehouse. Conditional access on managed devices, FIDO2 keys, and short token lifetimes shrink that path. Second, SaaS data warehouses are blast-radius assets. The amount of data per breach in this wave was huge because Snowflake is designed to put everything in one place. That design is the right one for analytics and the wrong one for blast radius unless you compensate with network policies, MFA enforcement, and per-role data minimization.
The BIPI take
If your data warehouse is reachable with a password from any IP on the internet, you have already accepted the AT&T outcome. Snowflake's post-incident updates now nudge customers toward mandatory MFA. Do not wait for the platform to force you. The breach window was open for two years between when those infostealer logs first showed up on Russian Market and when UNC5537 started using them. The next campaign's window is already open.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.