No, the root-cause is not AT&T were "attacked, by criminals"; there's a much wider issue involving Snowflake and multiple customers. The full facts are not in yet.
AT&T's data was compromised as one of Snowflake's many customer breaches (Ticketmaster/LiveNation, LendingTree, Advance Auto Parts, Santander Bank, AT&T, probably others [0][1]), which occurred and were notified in 4/2024 (EDIT: some reports says as far back as 10/2023). Supposedly these happened because Snowflake made it impossible to mandate MFA; some customers had credentials stolen by info-stealing malware or obtained from previous data breaches.
Snowflake called it a “targeted campaign directed at users with single-factor authentication”.
The Mandiant report tried to blame unnamed Snowflake employee (solutions engineer) for exposing their credentials.
How much responsibility Snowflake had, vs its clients, is not clear (for example, seems they only notified all other customers May 23, not immediately when they suspected the first compromise). Reducing the analysis to pure "victims" and "criminals" is not accurate. When you say "criminally prosecute those whose negligence made this possible", it wouldn't make sense to prosecute all of Snowflake's clients but not Snowflake too. Or only the cybercriminals but not Snowflake or its clients.
I think the simple explanation here is likely not that Snowflake has some giant undisclosed breach allowing access to it's customers data, but actually that snowflake instances are just insecure by default in fairly basic ways.
Snowflake built its business on making it really easy for data teams to spin up an instance and start importing a massive amount of their org's data. By default, the only thing you need to access that from anywhere on the internet is a username and a password. Locking down a snowflake instance ends up requiring a lot more effort.
And very few users actually end up interacting with snowflake directly -- they're logging into a BI tool like Looker, which accesses snowflake behind the scenes. So the fact that an org's Snowflake instance doesn't require being on the VPN or login via okta/azure ad/whatever SSO can fly under the radar pretty easily. Attackers realized this, and started targeting snowflake credentials.
Seems similar to all the S3 breaches that have come out over the years -- it's not that s3 has some giant security hole (in the traditional sense) -- it was just really easy throw shit on S3 and accidentally make it totally public.
Yes, like I said Snowflake apparently knew very few of its many customers were using MFA.
Reports say password-stealing breaches were happening as far back as Oct 2023. But Snowflake didn't notify people (customers, FBI, SEC) until May 2024.
AT&T's data was compromised as one of Snowflake's many customer breaches (Ticketmaster/LiveNation, LendingTree, Advance Auto Parts, Santander Bank, AT&T, probably others [0][1]), which occurred and were notified in 4/2024 (EDIT: some reports says as far back as 10/2023). Supposedly these happened because Snowflake made it impossible to mandate MFA; some customers had credentials stolen by info-stealing malware or obtained from previous data breaches. Snowflake called it a “targeted campaign directed at users with single-factor authentication”. The Mandiant report tried to blame unnamed Snowflake employee (solutions engineer) for exposing their credentials.
How much responsibility Snowflake had, vs its clients, is not clear (for example, seems they only notified all other customers May 23, not immediately when they suspected the first compromise). Reducing the analysis to pure "victims" and "criminals" is not accurate. When you say "criminally prosecute those whose negligence made this possible", it wouldn't make sense to prosecute all of Snowflake's clients but not Snowflake too. Or only the cybercriminals but not Snowflake or its clients.
[0]: The Ticketmaster Data Breach May Be Just the Beginning (wired.com) https://news.ycombinator.com/item?id=40553163
[1]: 6/24 Snowflake breach snowballs as more victims, perps, come forward (theregister.com) https://news.ycombinator.com/item?id=40780064