On July 12, 2024, AT&T disclosed in an SEC filing that threat actors had accessed call and text message metadata for nearly all of its cellular customers — approximately 110 million people. The data was not stolen from AT&T's own infrastructure. Instead, attackers accessed it through Snowflake, the cloud data platform where AT&T stored analytics data. The breach was part of a broader campaign targeting Snowflake customers with stolen credentials, and it stands as a defining case study in third-party cloud platform risk.
The Attack: Snowflake Credential Campaign
According to Mandiant, the cybersecurity firm engaged by Snowflake to investigate the incidents, a financially motivated threat actor tracked as UNC5537 systematically targeted Snowflake customer accounts using credentials obtained from historical infostealer malware infections. The attackers exploited a critical gap: many Snowflake customer accounts did not have multi-factor authentication (MFA) enabled, and Snowflake did not enforce MFA by default at the time of the attacks.
The campaign was not limited to AT&T. Mandiant confirmed that approximately 165 Snowflake customer organizations were potentially affected, with other confirmed victims including Ticketmaster (Live Nation) and Advance Auto Parts. But the AT&T breach was by far the largest in scope.
What Was Stolen
The compromised data consisted of call detail records (CDRs) and text message metadata spanning approximately six months, from May 1 through October 31, 2022, with an additional smaller set of records from January 2, 2023. The metadata included:
- Phone numbers of AT&T cellular customers
- Phone numbers of customers of other carriers who interacted with AT&T numbers
- Counts of calls and texts between numbers
- Aggregate call duration data
- Cell site identification numbers (which can approximate location)
AT&T stated that the data did not include the content of calls or texts, Social Security numbers, or dates of birth. However, metadata at this scale is far from harmless. Intelligence agencies and security researchers have long established that call metadata can reveal personal relationships, daily patterns, business associations, and approximate locations.
| Impact Category | Details |
|---|---|
| Customers Affected | Approximately 110 million (nearly all AT&T cellular customers) |
| Data Period | May – October 2022, plus records from January 2, 2023 |
| Data Type | Call and text metadata (numbers, duration, cell site IDs) |
| Attack Vector | Stolen credentials for Snowflake cloud platform (no MFA enforced) |
| Ransom Paid | Approximately $370,000 in cryptocurrency for data deletion |
| Disclosure Date | July 12, 2024 (SEC filing) |
The Ransom Payment
According to reporting by Wired, AT&T paid approximately $370,000 in Bitcoin to a member of the hacking group in exchange for the deletion of the stolen data. The payment was reportedly brokered through an intermediary, and the hacker provided a video purportedly showing the data being deleted. Security researchers have noted that such deletion assurances are inherently unreliable, as there is no way to verify that all copies of the data were destroyed.
The Third-Party Risk Dimension
The AT&T breach underscores a fundamental challenge in modern third-party risk management: data stored on cloud platforms is only as secure as the access controls protecting it. Snowflake itself was not breached in the traditional sense — there was no vulnerability exploited in the Snowflake platform. Instead, individual customer accounts were compromised because they relied on single-factor authentication with credentials that had been stolen months or years earlier through infostealer malware.
This distinction matters for TPRM programs. A vendor questionnaire asking "Is your cloud platform SOC 2 certified?" would have received a "yes" from Snowflake. But the actual risk — that AT&T's own account on that certified platform lacked basic access controls — would not have been captured by that question. The breach lived in the gap between the platform's capabilities and the customer's configuration of those capabilities.
"The compromise was not caused by a vulnerability, misconfiguration, or breach of the Snowflake platform. The threat actor obtained credentials from infostealer malware and used them to access accounts that were not configured with MFA." — Mandiant Threat Intelligence, June 2024
What Organizations Should Do
- Enforce MFA on all cloud platforms: Every cloud data store, analytics platform, and SaaS application must require multi-factor authentication, regardless of the vendor's default settings.
- Audit cloud access configurations: Do not assume that vendor certifications mean your data is properly secured. Regularly audit how your organization's accounts and data are configured on third-party platforms.
- Monitor for credential exposure: Use dark web monitoring and infostealer detection to identify when employee credentials may have been compromised, and proactively rotate them.
- Include cloud configuration in vendor assessments: TPRM questionnaires and continuous monitoring should cover not just "does the vendor have security controls" but "are our accounts on the vendor's platform properly configured."
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- AT&T Inc. Form 8-K: Material Cybersecurity Incident Disclosure - U.S. Securities and Exchange Commission, July 12, 2024
- AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records - Wired, July 2024
- UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion - Mandiant (Google Cloud), June 2024
- Detecting and Preventing Unauthorized User Access: Snowflake's Response - Snowflake Blog, June 2024
- AT&T Addresses Illegal Download of Customer Data - AT&T Newsroom, July 2024