Canadian authorities have arrested a man in connection with the series of Snowflake-related breaches earlier this year.
Along with alleged co-conspirator John Binns, Alexander 'Connor' Moucka is believed to have been behind the widespread campaign that breached around 165 companies by targeting cloud storage provider Snowflake.
According to reports, Moucka - known online as Judische and Waifu - was arrested following a request by the US and could face extradition. While officials have confirmed that he has been arrested on a provisional warrant and has appeared in court, there's no information on the precise charges he faces.
The attackers, known as UNC5537 or ShinyHunters, are believed to be mainly from North America, with Binns based in Turkey.
They leveraged the stolen credentials of an employee purchased on the dark web to compromise misconfigured SaaS instances at companies that had failed to use multi-factor authentication (MFA) on their Snowflake accounts.
Those affected included AT&T, Neiman Marcus, Ticketmaster, Adobe, Santander, Western Union, and PepsiCo. The AT&T attack alone saw the theft of personal data and call and text logs for more than 100 million people - virtually all its customers - while Ticketmaster said the data of 560 million customers was impacted.
Companies were reported to have later received ransom demands of between $300,000 and $5 million in exchange for the deletion of their data.
"UNC5537, aka Alexander ‘Connor’ Moucka, has proven to be one of the most consequential threat actors of 2024. In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations," said.
"The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm a single individual can cause using off-the-shelf tools. This arrest serves as a deterrent to cyber criminals and reinforces that their actions have serious consequences."
Snowflake implemented sweeping changes in the wake of the incident earlier this year, and now enforces multi-factor authentication (MFA) for new accounts. The company also requires all passwords to be at least 14 characters long.
