A major data breach and extortion scheme targeting Snowflake cloud storage customers has led to the arrests of two individuals, while a third suspect, known as Kiberphant0m, remains at large. Kiberphant0m, suspected to be a U.S. Army soldier stationed in South Korea, is allegedly selling stolen data from major corporations, including AT&T, after obtaining compromised Snowflake account credentials. Alexander Moucka, also known as Connor Riley Moucka, was arrested in Canada and charged with multiple counts related to the breach. Another suspect, John Erin Binns, is currently incarcerated in Turkey. The stolen data included sensitive customer information, and in the case of AT&T, reportedly encompassed phone and text message records for approximately 110 million customers.
The brazenness of the attacks extended to Kiberphant0m's public threats following Moucka's arrest. Kiberphant0m posted what they claimed were call logs belonging to President-elect Donald J. Trump and Vice President Kamala Harris, further escalating the situation and showcasing their access to highly sensitive data. The hacker also threatened to release the U.S. National Security Agency's data schema, obtained from the AT&T Snowflake hack, if AT&T didn’t contact them. These actions highlight the significant security risks posed by the exploitation of weak security practices within cloud storage platforms.
AT&T's response included paying a ransom of $370,000 to a hacker to delete the stolen phone records. This incident underscores the escalating costs associated with data breaches, and the difficulties faced by companies when faced with extortion attempts. While the arrests of Moucka and Binns represent a step towards addressing the issue, the continued activity of Kiberphant0m underscores the ongoing threat and the urgent need for improved security practices and robust threat intelligence capabilities in the cloud data storage ecosystem.