Canadian authorities arrest hacker in connection with Snowflake breach

Snowflake data breach compromised sensitive information belonging to several high-profile companies

A major breakthrough in the investigation into the Snowflake data breach has led to the arrest of a 26-year-old man from the state of Ontario, Canada.

Acting on a provisional arrest warrant from the United States, Canadian authorities detained Alexander "Connor" Moucka on 30th October. He was arrested in Kitchener, a city about 65 miles west of Toronto.

Moucka appeared in court on Tuesday, although the exact charges against him remain undisclosed.

"As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case," Ian McLeod, spokesperson for Canada's Department of Justice, told Bloomberg.

Cybersecurity researchers have identified Moucka as a key figure in the operation, linking him to several online monikers including "Judische" and "Waifu".

Moucka is suspected of collaborating with another hacker, John Binns, in the attack on AT&T, which exposed the personal data of nearly all of its customers for a six-month period in 2022.

Binns, who was indicted for a previous attack on T-Mobile, was arrested by Turkish authorities and remains in custody.

Snowflake data breach, which came to light between April and July of this year, compromised sensitive information belonging to several high-profile companies, including AT&T, Ticketmaster, and Santander.

The hackers, who exploited weak security measures like the absence of multifactor authentication, targeted customer accounts using stolen login credentials.

It is estimated that over 165 organisations were affected by the cyberattack.

In an attempt to extort their victims, the hackers threatened to sell the stolen data on the dark web.

In July, US telecom giant AT&T reported a breach that exposed phone records for "nearly all" of its customers.

The compromised data covered a six-month period from May to October 2022, with a small number of records from January 2023 also affected. The information included phone numbers, call and text logs, and some location data linked to cell phone usage.

The breach involved AT&T's use of the Snowflake platform, which disclosed in May that a major cyberattack had compromised customer data across multiple clients.

According to an investigation by Mandiant, attackers had exploited stolen login credentials to access Snowflake accounts. Some of these credentials, compromised as early as 2020 through malware, were still active despite their age.

In June, the notorious hacking group ShinyHunters claimed to have stolen personal information belonging to millions of Santander bank's customers and employees.

The group also took responsibility for hacking 560 million customer accounts at Ticketmaster, claiming to have accessed full names, addresses, phone numbers, email addresses, ticket purchase histories, and partial payment details, including the last four digits of credit card numbers and expiration dates.

Snowflake's cloud data platform, which serves 9,437 customers—including major companies such as Adobe, AT&T, Capital One, HP, Mastercard, Okta, PepsiCo and Western Union—was implicated in these incidents.

Snowflake denied any security vulnerability within its platform, attributing the breaches to weak security on customer accounts rather than flaws in its own system.