- Snowflake has a growing problem on its hands after AT&T said on Friday that data from "nearly all" wireless customers was connected to a breach.
- Prior to Friday, the most notable companies tied to the Snowflake attack were Advance Auto Parts, LendingTree, Ticketmaster operator Live Nation Entertainment and Santander Bank.
- Snowflake disclosed the cyberattack in late May and has enlisted the help of CrowdStrike and Alphabet's Mandiant to investigate.
Snowflake has spent the past seven weeks dealing with the fallout of a major cyberattack that compromised sensitive customer data at several of its clients. The software company's problems just got a whole lot worse.
Telecommunications giant AT&T said in a regulatory filing on Friday that hackers tapped into a cloud platform housing customer data, gaining access to records of subscribers' calls and text messages during a six-month period in 2022. The data includes phone numbers, aggregate call duration and some cell site details, AT&T said in the filing.
An AT&T spokesperson told CNBC that the cloud service was owned by Snowflake. Shares of Snowflake fell 1.8% on Friday, while the Nasdaq rose 0.6%.
It is the most severe incident since Snowflake disclosed the breach on May 30, writing in a blog post at the time, "We became aware of potentially unauthorized access to certain customer accounts on May 23, 2024." Snowflake enlisted the help of cybersecurity software vendor CrowdStrike and Alphabet's Mandiant to investigate.
Mandiant wrote in a blog post last month that, through its "Victim Notification Program," the company and Snowflake have alerted 165 "potentially exposed organizations" of the incident. Mandiant blamed the hack on a financially motivated group it calls UNC5537, with members in North America and Turkey. UNC5537 drew on login credentials that had been available online after they had been stolen separately using malware.
Prior to Friday, the most notable companies connected to the Snowflake breach were Advance Auto Parts, LendingTree, Ticketmaster operator Live Nation and Santander Bank, which said in mid-May, prior to Snowflake's disclosure, "We recently became aware of an unauthorized access to a Santander database hosted by a third-party provider."
Money Report
AT&T is much bigger. The company had 242 million customers for its U.S. wireless mobility services at the end of last year, with 128 million connected devices.
The carrier said data in the breach involves "nearly all of AT&T's wireless customers and customers of mobile virtual network operators" using its wireless network.
"While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number," AT&T wrote. Attackers did not get access to the content of calls or texts.
A Snowflake spokesperson did not provide a comment when asked about the AT&T hack. The spokesperson pointed to the company's prior statements about the attack.
Mandiant said in its blog post that some of the malware infections in non-Snowflake owned systems date to 2020, and the credentials were, in some cases, still valid years after being stolen. In certain instances, the credentials had been taken on PCs used by contractors for Snowflake customers — devices that were also used for personal activities, including downloading pirated software.
The usernames and passwords were sufficient for UNC5537 to enter customers' Snowflake environments because they had not turned on multi-factor authentication, Mandiant said. From there, the hackers exported "a significant volume of customer data." UNC5537 has since started extorting victims and trying to sell customer data online, Mandiant added.
AT&T said Friday that it does not believe the attack will have a material effect on its finances.
But Snowflake has warned investors that it might face reputational harm and "significant liabilities" if the company were to "experience an actual or perceived security breach or unauthorized parties otherwise obtain access to our customers' data, our data, or our platform."
Earlier this week, Snowflake published a blog post saying administrators can enforce the mandatory use of multi-factor authentication.
The deepening saga represents a growing challenge for Sridhar Ramaswamy, a former Google executive who in February replaced Frank Slootman as Snowflake's CEO. Days before the hacking disclosure, Snowflake stock declined 5% after management reduced the company's full-year adjusted operating income forecast.
Snowflake, founded in 2012, went public in 2020, raising more than $3 billion in the biggest initial public offering ever for a software company. Since a big first-day pop that lifted its market cap past $70 billion, Snowflake has slid in value, with its stock closing at $134.73 on Friday for a valuation of about $45 billion.
Correction: A prior version of this story incorrectly described Mandiant's findings. The story has been updated to say that, according to Mandiant, some of the malware infections in non-Snowflake owned systems date to 2020.
WATCH: Snowflake CEO joins Jim Cramer after earnings report drives stock higher