The Snowflake Customer Breaches, Explained: What Happened—and 8 Habits That Would Have Helped

This wasn’t a “VPN got hacked” story. It was mostly stolen passwords + no MFA hitting cloud data accounts. Let’s unpack the facts—and the takeaways.

---

What happened (short version)

• In spring 2024, threat actor UNC5537 targeted Snowflake customer accounts using stolen credentials (often from infostealer malware), focusing on tenants without MFA. Investigations by Mandiant and others describe large-scale data theft and extortion.
  • Mandiant summary: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
• CISA echoed Snowflake’s guidance for customers to hunt for malicious activity and harden accounts.
  • CISA alert: https://www.cisa.gov/news-events/alerts/2024/06/03/snowflake-recommends-customers-take-steps-prevent-unauthorized-access
• High-profile organizations were affected (e.g., Ticketmaster, Santander); reporting estimated ~165 orgs potentially touched.
  • Coverage: Wired → https://www.wired.com/story/snowflake-breach-ticketmaster-santander-ticketek-hacked • Axios → https://www.axios.com/2024/06/11/165-orgs-snowflake-data-breaches • The Verge → https://www.theverge.com/2024/6/11/24176080/snowflake-cloud-storage-data-breach-ticketmaster-santander

Key point: Snowflake said its core platform wasn’t breached; attackers abused valid customer credentials (often single-factor), sometimes via third parties/contractors.

• Example analysis: Cloud Security Alliance → https://cloudsecurityalliance.org/blog/2025/05/07/unpacking-the-2024-snowflake-data-breach

---

8 habits that would have helped (and still will)

1. Turn on MFA everywhere (prefer app-based or hardware keys/passkeys).
2. Rotate passwords after any sign of infostealer malware or credential exposure.
3. Stop re-use: unique, random passwords in a manager for every account.
4. Restrict access: least privilege on data warehouses; disable stale users and third-party creds.
5. Network controls: IP allow-lists, egress restrictions, and conditional access where possible.
6. Alerting: monitor for unusual queries, mass exports, or new users/keys.
7. Vendor due diligence: contractors should use MFA and healthy device posture.
8. Travel/laptop hygiene: keep systems patched; avoid risky downloads; use VPN on untrusted Wi-Fi to cut LAN-side snooping.

---

Where a VPN helps—and where it doesn’t

• Helps: on public/hostile networks, a VPN encrypts traffic and prevents LAN-level snooping and DNS hijacks that can intercept credentials in transit.
• Doesn’t replace: MFA and device hygiene. Most Snowflake-related compromises stemmed from stolen endpoints and passwords, not network eavesdropping. Combine VPN with MFA and careful software habits.

New to VPNs? Start with this: Public Wi-Fi in 2025: 7 Traps—and How a VPN Helps

---

The OakVPN Advantage

• WireGuard by default for stable, fast connections while traveling
• Private DNS to stop captive-portal and ISP hijacks
• Auto-connect + kill switch so you’re protected the second Wi-Fi connects
• Clear guides for mobile hardening and leak testing

---

Take action now

• Enable MFA on everything critical (prefer passkeys/hardware).
• Audit and rotate any credentials that might be stale or reused.
• Use a VPN on untrusted Wi-Fi, and keep your OS and browser fully updated.
• Get OakVPN apps → https://www.oakvpn.com/apps • Plans → https://www.oakvpn.com/pricing

---

Sources & further reading

• CISA alert (June 2024): https://www.cisa.gov/news-events/alerts/2024/06/03/snowflake-recommends-customers-take-steps-prevent-unauthorized-access
• Mandiant (UNC5537 campaign): https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion
• Coverage: Wired → https://www.wired.com/story/snowflake-breach-ticketmaster-santander-ticketek-hacked • Axios → https://www.axios.com/2024/06/11/165-orgs-snowflake-data-breaches • The Verge → https://www.theverge.com/2024/6/11/24176080/snowflake-cloud-storage-data-breach-ticketmaster-santander