Tech
Snowflake Hackers Indicted for Stealing Billions of Sensitive Customer Records
Two individuals, Connor Riley Moucka and John Erin Binns, have been indicted by the United States for their involvement in a significant cyberattack targeting multiple organizations’ cloud environments hosted on Snowflake. The indictment, unsealed on Sunday, charges the duo with 20 counts of conspiracy, computer fraud and abuse, wire fraud, and aggravated identity theft.
Moucka, a Canadian resident, and Binns, an American living in Turkey, allegedly compromised the cloud storage environments of at least 10 organizations, accessing billions of sensitive customer records. The stolen data included call and text logs, banking and financial details, payroll records, Drug Enforcement Agency registration numbers, driver’s license and passport information, and Social Security numbers.
The victims of the hack include a US-based software-as-a-service company, a major American telecommunications company (identified as AT&T), a large US retailer, a major US-based entertainment company, a healthcare giant, and a major foreign company located in Europe with operations in the United States. AT&T alone had around 50 billion customer call and text records stolen, affecting nearly all of its cellular and landline customers.
The hackers used stolen credentials to access the victims’ cloud computing instances starting around November 2023. They utilized software named “Rapeflake” to identify and steal valuable information and then extorted the victims by threatening to sell or leak the stolen data unless ransoms were paid. At least three victims paid the hackers, with one payment amounting to around $2.5 million in bitcoin.
Moucka and Binns also advertised the stolen data on underground marketplaces such as BreachForums, Exploit.in, and XSS.is. Moucka was arrested in Canada on October 30, while Binns was previously arrested in Turkey.
The incident highlights one of the most consequential cyberattacks of 2024, with Mandiant’s threat analysts tracking the activities of these hackers under the designation UNC5537.