AT&T customer data breached, with over 110 million records compromised, linking back to the Snowflake data platform
In a series of devastating cyberattacks, at least 110 million AT&T wireless customers have been impacted, according to recent reports. The investigation into this breach, which began in early 2024, has seen substantial legal and investigative developments leading up to 2025.
The attacks targeted Snowflake customer environments, including AT&T’s data, which involved phone records and text messages. The breach was facilitated by the lack of multi-factor authentication on many Snowflake customer accounts, allowing the attackers to access data using stolen credentials.
By July 2024, investigations identified the cybercriminal group UNC5533 as involved, linked with other hacking groups such as ShinyHunters and Scattered Spider. Stolen credentials were sold on dark web forums.
AT&T activated its incident response process with the aid of third-party cybersecurity experts and reported the cyberattack on their Snowflake environment. The company became aware of the attack and theft of AT&T call logs on April 19. The attackers accessed AT&T's Snowflake environment between April 14 and April 25.
Stolen credentials obtained from multiple infostealer malware infections on non-Snowflake owned systems were the point of entry for the attacks. The content of calls or text messages, customer names, and personally identifiable information were not exposed in the attack. Instead, the stolen data included phone numbers AT&T wireless customers interacted with, counts of interactions, and aggregate call duration.
AT&T has taken additional cybersecurity measures in response to this incident and will provide notice to its current and former impacted customers. As of the date of the filing, AT&T does not believe that the stolen data is publicly available.
A robust legal process has been initiated, with all lawsuits relating to Snowflake-related breaches, including those targeting AT&T, consolidated into a multidistrict litigation (MDL 3114) to streamline proceedings. By mid-2025, a tentative $177 million settlement was announced to resolve these consolidated litigation claims related to the AT&T data breach.
Legal actions have also progressed against some individuals linked to the breach, including a U.S. Army soldier involved with stolen credentials as of August 2025. The FBI and DOJ worked collaboratively with AT&T during the first and second delay process, sharing key threat intelligence.
Corporate stakeholders are asking the question: Are we a target? They are seeking to better understand the risk calculus of their technology stacks. The attacks on Snowflake customer environments were not caused by a vulnerability, misconfiguration, or breach of Snowflake's systems.
No recent public updates have indicated that the underlying vulnerabilities at Snowflake or AT&T have been fully resolved, but significant legal and investigative steps are underway to manage the aftermath and hold responsible parties accountable.
- The cyberattack on AT&T's Snowflake environment, involving stolen credentials from malware infections, has prompted the company to activate its incident response process with the aid of third-party cybersecurity experts.
- In response to this incident, AT&T has taken additional cybersecurity measures and will provide notice to its current and former impacted customers, aiming to prevent similar vulnerabilities in the future.
- As corporate stakeholders seek to better understand the risk calculus of their technology stacks, cybersecurity experts are emphasizing the need for threat intelligence and incident response strategies in the face of increasingly sophisticated cyber threats.
