Snowflake, a major cloud data platform, failed to implement basic security safeguards that allowed attackers to breach approximately 165 customer organizations and compromise over 500 million consumer and employee records between April and June 2024. The data theft exposed some of the world’s largest companies—including Ticketmaster (560 million records), AT&T (110 million customer call and text records), and financial institutions like Santander Bank—to identity theft, fraud, and regulatory violations. According to class action litigation now consolidated before a federal court in Montana, Snowflake’s negligence in enforcing multi-factor authentication (MFA) and failing to implement reasonable security measures created conditions where attackers using stolen credentials could freely access customer databases. The breach has sparked one of the year’s largest litigation campaigns against a cloud service provider.
The threat actor UNC5537, also known as ShinyHunters, exploited infostealer malware to obtain Snowflake customer credentials, then used those credentials to infiltrate customer accounts that lacked MFA protection. Rather than deploying industry-standard authentication safeguards that could have prevented this attack, Snowflake allowed its platform to remain vulnerable. As a result, a federal multidistrict litigation (MDL) now consolidates 84 lawsuits filed by consumers, corporations, and financial institutions alleging breach of contract, negligence, breach of fiduciary duty, and unjust enrichment. This litigation represents a critical moment in cloud security accountability. The case challenges whether cloud service providers can continue operating without mandatory security baselines, and it raises the stakes for other platforms that store sensitive customer data in shared cloud environments.
Table of Contents
- HOW DID THE SNOWFLAKE DATA BREACH OCCUR AND WHAT ROLE DID MISSING SECURITY MEASURES PLAY?
- WHICH MAJOR COMPANIES WERE COMPROMISED AND HOW EXTENSIVE WAS THE DATA THEFT?
- WHAT SPECIFIC LEGAL CLAIMS ARE CONSUMERS AND INSTITUTIONS FILING AGAINST SNOWFLAKE?
- WHAT IS THE STRUCTURE AND TIMELINE OF THE LITIGATION?
- WHAT RESPONSIBILITIES DID SNOWFLAKE HAVE AS A CLOUD SERVICE PROVIDER AND DID IT MEET THEM?
- HOW DOES THE SNOWFLAKE BREACH COMPARE TO OTHER MAJOR DATA BREACH LITIGATION?
- WHAT SHOULD ORGANIZATIONS DO NOW AND WHERE IS THE LITIGATION HEADED?
- Conclusion
HOW DID THE SNOWFLAKE DATA BREACH OCCUR AND WHAT ROLE DID MISSING SECURITY MEASURES PLAY?
The Snowflake breach began when attackers leveraged infostealer malware—malicious software that harvests login credentials from infected computers—to steal Snowflake customer usernames and passwords during the April-to-June 2024 window. Using these legitimate credentials, the threat actor group UNC5537 (ShinyHunters) logged into Snowflake customer accounts. Under normal circumstances, this credential theft alone would not have granted access, because multi-factor authentication (MFA) would require a second verification step—typically a code sent to a phone or generated by an authentication app—that the attacker could not bypass. However, Snowflake did not enforce MFA as a mandatory requirement for customer accounts. While some customers had voluntarily enabled MFA, many had not, leaving their accounts protected by passwords alone. This meant that once an attacker possessed stolen credentials, they could log in directly without encountering a second authentication barrier.
The breach thus revealed a fundamental gap between Snowflake’s responsibilities as a custodian of sensitive data and the basic security practices that industry standards and regulations expect. The National Institute of Standards and Technology (NIST) and other cybersecurity authorities have long recommended MFA as a baseline control for systems handling critical data. Snowflake’s decision not to mandate it left the door open for exactly this type of attack. The timeline of the breach demonstrates how quickly attackers can move once they have valid credentials. Between April and June 2024, UNC5537 accessed and exfiltrated data from approximately 165 Snowflake customer organizations. This was not a slow, stealthy penetration that took months to detect—it was a rapid, systematic harvesting operation. By the time Snowflake and its customers discovered the breach, the damage was done: over 500 million records had been stolen, affecting everything from consumer purchase histories to employee medical information to banking transaction metadata.
WHICH MAJOR COMPANIES WERE COMPROMISED AND HOW EXTENSIVE WAS THE DATA THEFT?
The scope of the Snowflake breach revealed just how central this platform has become to enterprise data infrastructure. Ticketmaster, the worldwide ticketing system for concerts and sporting events, lost approximately 560 million records—including customer names, email addresses, phone numbers, order histories, and payment card details. This represented one of the largest single-company breaches on record. AT&T disclosed that approximately 110 million of its customers had their call and text metadata—logs of who called or texted whom and when—stolen, information that can be highly sensitive even without the content of communications. Beyond these headline victims, the breach affected a cross-section of American business and finance. Santander Bank, one of the largest financial institutions in the world, had customer data compromised. Advance Auto Parts, a major automotive retailer, was breached. Neiman Marcus, the luxury retailer, lost customer information.
LendingTree, which collects personal financial information from consumers applying for loans and credit cards, had its entire customer database exposed. Collectively, the 165 affected Snowflake customers operated in retail, financial services, telecommunications, healthcare, entertainment, and technology sectors. The breach was not targeted or selective—it was opportunistic and comprehensive, capturing whatever data happened to reside on Snowflake instances without MFA protection. A critical limitation of the current disclosure is that we may never know the full count of affected individuals. Companies are still discovering what was stolen months after the breach. Some organizations may not have publicly disclosed the breach or may still be assessing the scope of data loss. The 500+ million figure represents confirmed exfiltrations, but the true number could be higher. Additionally, the stolen data has not all been deleted; it circulates in criminal forums and databases, creating years of ongoing fraud risk for affected consumers and businesses.
WHAT SPECIFIC LEGAL CLAIMS ARE CONSUMERS AND INSTITUTIONS FILING AGAINST SNOWFLAKE?
The lawsuits filed against Snowflake allege multiple legal theories of liability. Consumers and institutions are asserting claims for negligence—arguing that Snowflake breached a duty of care by failing to implement reasonable security measures such as mandatory MFA. They claim that Snowflake, as a service provider handling sensitive customer data, was required to maintain security standards consistent with industry practice, and that failing to do so was a breach of contract. Many customer agreements with Snowflake include explicit or implicit promises that the platform will protect data with reasonable safeguards; the breach represents a violation of those contractual obligations. The lawsuits also allege breach of implied contract and breach of fiduciary duty.
The implied contract claim rests on the understanding that when a company pays Snowflake to store its data, there is an implicit agreement that Snowflake will protect it. The fiduciary duty claims argue that Snowflake, as a trusted custodian of data, had a heightened obligation to safeguard it against foreseeable threats like credential theft. Plaintiffs are also seeking damages for unjust enrichment, arguing that Snowflake profited from customer relationships without delivering the level of security that customers were paying for. The legal remedies sought include unspecified compensatory damages (to cover costs such as credit monitoring, identity theft recovery, and diminished asset value), punitive damages in some cases, attorneys’ fees, and injunctive relief (court orders requiring Snowflake to implement mandatory MFA and other specified security measures). The injunctive relief is particularly significant: if granted, it would force Snowflake to change its security architecture going forward, making MFA mandatory for all customer accounts. This would represent a court-imposed security upgrade that Snowflake voluntarily chose not to implement.
WHAT IS THE STRUCTURE AND TIMELINE OF THE LITIGATION?
The Snowflake litigation is being handled through a multidistrict litigation (MDL), which is a federal procedural mechanism for consolidating related lawsuits filed in different courts into a single coordinated proceeding. The first class action was filed on June 13, 2024, in the U.S. District Court for the District of Montana. As more lawsuits were filed across the country, they began to create duplicative proceedings. To improve efficiency and prevent conflicting rulings, the Judicial Panel on Multidistrict Litigation (JPML) consolidated the cases on October 4, 2024, establishing MDL 2:24-md-03126 before Judge Brian Morris in Montana. As of the most recent filings, 84 separate lawsuits have been consolidated into the MDL. On February 3, 2025, the first consumer representative complaint was filed, establishing the framework for consumer class action claims.
Later, on April 7, 2025, a separate representative complaint was filed on behalf of financial institutions and other businesses that were customers of Snowflake. This created two distinct tracks within the MDL: one for individual consumers and one for institutional plaintiffs. The creation of a separate financial institution track on February 14, 2025, reflects the recognition that large companies may have different damages and legal theories than individual consumers. This procedural structure means that the case is still in relatively early stages despite more than a year having passed since the breach. The representative complaints filed in early 2025 will now likely move toward motion practice, discovery, and potentially settlement discussions. Consumer MDLs of this scale typically take multiple years to resolve, whether through settlement or trial. The court and parties are unlikely to reach a comprehensive resolution within the next 12 months.
WHAT RESPONSIBILITIES DID SNOWFLAKE HAVE AS A CLOUD SERVICE PROVIDER AND DID IT MEET THEM?
Cloud service providers like Snowflake occupy a unique position in the modern data ecosystem: they do not own the data stored on their platforms, but they exercise complete control over how that data is secured and who can access it. This creates what security experts call a “shared responsibility model,” where the cloud provider is responsible for securing the infrastructure and access controls, while customers are responsible for how they use the service. However, shared responsibility does not mean equal responsibility—cloud providers have the dominant role in preventing unauthorized access. Snowflake’s core responsibility was to prevent unauthorized access to customer data.
This responsibility flows from multiple sources: (1) explicit contractual language promising data protection, (2) industry standards and best practices that have been codified by NIST, the Cloud Security Alliance, and other organizations, (3) data protection regulations like HIPAA (for healthcare data), the Gramm-Leach-Bliley Act (for financial data), and emerging state privacy laws that impose minimum security requirements on companies handling personal information, and (4) common law negligence, which holds service providers to the standard of care that a reasonable service provider would exercise. The warning embedded in the Snowflake litigation is that cloud service providers cannot outsource their security obligations to customers. Snowflake’s argument—that customers could have enabled MFA on their own—does not relieve Snowflake of the obligation to make security easier and mandatory. Making MFA optional rather than mandatory is a choice that Snowflake made, and that choice created foreseeable risk. Once a company stores 500 million people’s records on a platform, the stakes are too high to leave critical security decisions to customers who may lack security expertise or awareness.
HOW DOES THE SNOWFLAKE BREACH COMPARE TO OTHER MAJOR DATA BREACH LITIGATION?
The Snowflake breach is not the first time a major service provider has been sued for inadequate security, but it is distinctive in its scale and in the clarity of the security failure. The breach involves more records and more high-profile victims than most previous data breach cases. The negligence is also particularly stark: MFA is not an exotic, difficult-to-implement technology—it is a mature, standard control that has been available for years and is widely used across the internet. Snowflake’s decision not to mandate it is easier to characterize as negligent than some other breaches where the security failure was more subtle or cutting-edge technology was insufficient to prevent the attack.
Previous data breach litigation has often resulted in settlements rather than large jury verdicts or significant injunctive relief. However, the Snowflake case benefits from recent shifts in judicial attitudes toward data security and privacy. Courts and juries are increasingly skeptical of companies that fail to implement well-established security practices. The example of Ticketmaster—a company that most consumers have interacted with—may make this case more sympathetic to juries than some other breaches that affected smaller or less well-known companies. If the case proceeds to trial and results in a substantial verdict, it could raise the bar for cloud service provider security standards industry-wide.
WHAT SHOULD ORGANIZATIONS DO NOW AND WHERE IS THE LITIGATION HEADED?
For customers currently using Snowflake or considering using it, the lesson is to demand and verify that mandatory MFA is enforced on all accounts, regardless of Snowflake’s default settings. Organizations should also conduct a security audit of their Snowflake configuration, review access logs to determine whether any unauthorized access occurred, and assess whether their data was among the 500+ million records exfiltrated. If employees or customers of your organization work in an affected company like Ticketmaster or AT&T, they may be eligible for class membership and potential recovery through this litigation.
The litigation is likely to continue through 2026 and possibly into 2027. Early indicators from the courts and the plaintiffs’ bar suggest that this case could result in a substantial settlement—potentially in the range of hundreds of millions of dollars—or could proceed to trial if Snowflake maintains its defense. Either way, the case is establishing that cloud service providers cannot hide behind the “shared responsibility model” to avoid liability for security failures that are within their control. The most likely outcome is that Snowflake will be required to implement stronger security controls (mandatory MFA, potentially other measures), pay compensation to affected parties, and may face injunctive orders requiring annual security audits or third-party certifications.
Conclusion
The Snowflake Data Breach class action represents a reckoning over cloud security accountability. Snowflake’s failure to implement mandatory multi-factor authentication created conditions that allowed attackers to steal over 500 million records from 165 customer organizations, affecting some of the world’s largest companies and the hundreds of millions of people whose data they hold. The consolidated litigation before Judge Brian Morris in Montana is advancing through early 2025 with separate tracks for consumer and institutional plaintiffs, and settlements or verdicts are likely to follow within the next 12 to 24 months.
If you believe you were affected by the Snowflake breach—either as an employee of a compromised company or as a consumer whose data was exfiltrated—you may have legal rights to pursue claims or join the class action. The litigation is ongoing, and the courts have already begun accepting representative complaints. Tracking the case and understanding your eligibility for recovery is important as the case moves toward resolution.