Risk & Repeat: AT&T's Snowflake database breached

AT&T disclosed a data breach on July 12 in which a threat actor stole customer data stored on a cloud workspace hosted by cloud storage and analytics giant Snowflake. Stolen data included cellular customer call and text message records between May 1 and Oct. 31 of 2022 as well as other customers, such as those using a landline, that interacted with compromised cellular numbers between those dates. The breach originally took place in April, according to the company's statement.

AT&T is far from the only company to have its Snowflake instance compromised. In late May, Snowflake said a threat actor tracked as UNC5537 used stolen credentials against a number of its database customers, primarily those with no MFA enabled. Credentials were obtained via infostealer malware as well as illicit purchase, and AT&T is only one of potentially 165 organizations that have had credentials exposed.

To prevent similar identity threat campaigns from happening in the future, Snowflake last week launched features that enable administrators to make MFA mandatory throughout their organizations. Admins can choose to enforce MFA at an organizational level and monitor compliance, though it is not required for current customers. Snowflake said that soon it will require all new human users to have MFA enabled. Experts had varying opinions about whether Snowflake's efforts went far enough to secure organizations.

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discussed AT&T's breach as well as the latest news surrounding UNC5537's campaign against Snowflake customers.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.