What to Do After the Snowflake Data Breach

In mid-2024, a massive data breach campaign targeting Snowflake — a major cloud data platform — compromised the customer data of at least 160 organizations, including AT&T, Ticketmaster, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. Hundreds of millions of people's personal information was stolen. If you're a customer of any affected company, here's what you need to know and do.

What Happened

The Snowflake breach wasn't a single hack — it was a coordinated campaign by a financially motivated threat actor tracked as UNC5537. Here's how it unfolded:

1. Credential theft: The attackers acquired Snowflake account credentials that had been previously stolen by infostealer malware from employee devices.
2. Account access: Using these stolen credentials, they authenticated directly to Snowflake customer accounts that did not have multi-factor authentication (MFA) enabled.
3. Data exfiltration: The attackers downloaded massive volumes of customer data from the compromised accounts.
4. Extortion: The stolen data was used to extort the affected companies, with some paying ransoms. The data was also offered for sale on dark web marketplaces.

What Data Was Exposed

The specific data exposed varies by company, but across the affected organizations, compromised data includes:

• AT&T: Call and text records for nearly all mobile customers, including phone numbers called, call duration, and cell site identification numbers (which can reveal approximate locations).
• Ticketmaster/Live Nation: Customer names, email addresses, phone numbers, payment card information, and order history for up to 560 million users.
• Santander Bank: Account details for 30 million customers in Chile, Spain, and Uruguay, including account numbers and balance information.
• LendingTree: Customer financial data including loan applications and personal information.
• Advance Auto Parts: Employee data including Social Security numbers.
• Neiman Marcus: Customer purchase history and personal information.

Steps to Protect Yourself

1. Determine If You're Affected

• Check your email for breach notification letters from any of the affected companies
• If you were an AT&T mobile customer in 2024, assume your call records were compromised
• If you purchased tickets through Ticketmaster, your data was likely exposed
• If you banked with Santander in Chile, Spain, or Uruguay, your account data may be compromised
• Use a breach monitoring service to check if your email or phone number appears in the leaked data

2. Change Your Passwords Immediately

• Change passwords for all accounts with the affected companies
• If you reused those passwords anywhere else, change them there too
• Use unique, strong passwords for every account going forward
• Consider using a password manager to generate and store complex passwords

3. Enable Multi-Factor Authentication

The Snowflake breach succeeded largely because compromised accounts lacked MFA. Enable MFA on every account that supports it — especially financial accounts, email, and social media. Use an authenticator app rather than SMS-based verification when possible.

4. Monitor Your Financial Accounts

• Review bank and credit card statements for unauthorized transactions
• Set up transaction alerts for all financial accounts
• Check your credit reports at all three bureaus (Equifax, Experian, TransUnion) at annualcreditreport.com
• Consider placing a credit freeze to prevent new accounts from being opened in your name

5. Watch for Targeted Scams

With detailed personal information in criminals' hands, expect highly targeted phishing attempts:

• AT&T customers: Watch for calls or texts claiming to be from AT&T asking you to "verify" your account or click a link.
• Ticketmaster users: Be suspicious of emails about refunds, ticket transfers, or account issues.
• All affected individuals: Scammers may reference real details from the breach to make phishing attempts more convincing. Verify any suspicious communication by contacting the company directly through their official website.

6. Place a Fraud Alert or Credit Freeze

• Fraud alert (free): Contact any one of the three credit bureaus to place a fraud alert, which requires creditors to take extra steps to verify your identity before opening new accounts.
• Credit freeze (free): A stronger measure that prevents new credit accounts from being opened in your name entirely. You can temporarily lift it when you need to apply for credit.

7. Report Identity Theft If It Occurs

If you discover unauthorized activity:

• File an identity theft report at identitytheft.gov
• File a police report with local law enforcement
• Contact the fraud departments of affected financial institutions
• Dispute fraudulent charges and accounts in writing

The Arrests

In October 2024, Alexander "Connor" Moucka was arrested in Canada on a U.S. extradition request. In November 2024, the U.S. Department of Justice unsealed a federal indictment against Moucka and co-conspirator John Binns. While the arrests are a positive development, the stolen data remains in circulation on the dark web.

Long-Term Protection

Data breaches of this scale have lasting consequences. Your stolen information can be used for identity theft, targeted scams, and account takeovers for years after the initial breach. PrivacyOn provides continuous dark web monitoring to alert you when your personal information appears in breach data, along with automated data broker removal across 100+ sites to reduce the personal information available to criminals.