Snowflake-Linked Data Thefts Hit Ticketmaster, Santander, Advance Auto Parts

Mandiant published an analysis today attributing a sprawling campaign of data theft from at least 165 Snowflake customer tenants to a financially motivated threat actor it tracks as UNC5537. Public victims to date include Ticketmaster, Santander, Advance Auto Parts, Neiman Marcus, AT&T, and LendingTree subsidiary QuoteWizard.

The campaign does not exploit any vulnerability in Snowflake's platform itself. Instead, UNC5537 is using valid customer credentials — many harvested years earlier by infostealer malware such as Vidar, RisePro, Redline, and Lumma — to log into Snowflake tenants that had not enforced multi-factor authentication. Once inside, the actor uses standard SQL queries to enumerate and exfiltrate tables.

"The recurring pattern across these incidents is the absence of MFA enforcement at the tenant level," wrote Charles Carmakal, Mandiant's CTO. "Snowflake's identity model historically treated MFA as a per-user opt-in. In environments where business analysts were creating service accounts with passwords-only, that's a six-year time bomb."

Snowflake has since shipped admin-policy controls allowing tenants to mandate MFA, network policies, and SSO-only authentication. The company also added monitoring to detect credential reuse with passwords appearing in known infostealer dumps.

The campaign has resulted in some of the largest disclosed data breaches of 2024 by record count, with Ticketmaster alone affecting an estimated 560 million accounts. UNC5537 is believed to operate out of Canada and Turkey, and one alleged member, Connor Moucka, was arrested in Canada in October on a U.S. extradition request.