Top cloud security threats of 2024: the year of credential theft
Snowflake customer compromises, Microsoft Midnight Blizzard, AnyDesk - the 2024 cloud incident pattern was consistent: stolen credentials reused against unprotected SaaS. Eight failure modes, ranked by real-world incident frequency.
The eight failure modes
After our 2024 cloud engagement work, the recurring failure modes cluster cleanly. They are the ones that don't show up in vendor security reports because they're configuration drift, not vulnerabilities. The Snowflake customer compromises, the Midnight Blizzard breach of Microsoft, AnyDesk, Cloudflare - all of 2024's headline cloud incidents - trace back to one of these.
The eight, ranked by 2024 incident attribution
| # | Failure mode | 2024 headline incidents | Blast radius |
|---|---|---|---|
| 1 | Credential reuse / no MFA on SaaS | Snowflake customers, AT&T | CRITICAL |
| 2 | Stolen OAuth / API tokens | Cloudflare (Nov 2023), AnyDesk | CRITICAL |
| 3 | Stale IdP trust / over-privileged service account | Microsoft Midnight Blizzard | CRITICAL |
| 4 | IAM privilege creep | Recurring across all clouds | HIGH |
| 5 | Leaky CI/CD pipelines | Industry-wide pattern | HIGH |
| 6 | Open management planes | Recurring (Shodan) | CRITICAL |
| 7 | Public storage buckets | Continuing pattern | HIGH |
| 8 | Missing cloud-control attestation | Recurring | MEDIUM |
The compound risk is the real story. Mandiant attributed the Snowflake campaign (UNC5537) to 165 customer instances compromised through one consistent vector: customer accounts with no MFA, accessed via credentials harvested from prior infostealer infections. None of those credentials needed to be "new" - many were 3+ years old.
The 2024 case studies
Snowflake customer breaches (UNC5537)
Mandiant publicly documented in June 2024 that a threat actor it tracks as UNC5537 had compromised at least 165 Snowflake customer instances by reusing credentials harvested from infostealer logs - some dating back to 2020. The compromised customers included Ticketmaster, Santander, AT&T, Pure Storage, and others.
The technical sophistication of the attack was zero. Every compromised tenant had two configuration choices in common: no enforced MFA, no IP allow-list. The attacker simply tried known-leaked credentials.
Midnight Blizzard / Microsoft (CVE-free, configuration-only)
In January 2024 Microsoft disclosed that the nation-state actor it tracks as Midnight Blizzard (NOBELIUM / APT29) had accessed senior leadership email accounts. The entry point was a legacy non-production tenant that did not have MFA enforced; the attacker then identified an OAuth application with elevated privileges, gave themselves access, and used that application to read mail from production tenants.
No CVE was involved. Every step was a configuration choice.
Cloudflare (Thanksgiving 2023 incident)
Cloudflare disclosed on February 1, 2024 that the same Okta breach that affected many companies in October 2023 (HAR file theft) had been used to access Cloudflare's Atlassian Confluence and Jira instances. The threat actor used stolen tokens that Cloudflare had not rotated despite being notified of the Okta breach.
The lesson: a credential rotation is only effective if it is complete. Partial rotations leave the attacker on the inside.
Why each one matters
Credential reuse / no MFA on SaaS
The Snowflake pattern. Infostealer logs are cheap on darknet markets; testing them against SaaS tenants is automated. If your enforcement is "MFA is recommended", you have already failed this control.
Stolen OAuth tokens
The Cloudflare pattern. Tokens are easier to steal than passwords (no MFA prompt) and bypass MFA entirely. Rotate after any vendor incident, even if "your customers were not affected" is in the vendor statement.
Stale IdP trust / privileged service principal
The Midnight Blizzard pattern. The OAuth app that nobody owns or monitors is the lateral-movement vehicle. Audit every service principal with directory-wide permissions.
IAM privilege creep
Service accounts accumulate roles over time, never pruned. The account doing log shipping now also has access to the production database because someone debugged a thing eight months ago.
Leaky CI/CD
Covered in detail in our March 2025 zero-day report - the tj-actions compromise is the same pattern.
What 2024's incidents had in common
A quarterly cadence that actually works
- Week 1
IAM role audit
Inventory every service account, OAuth application, and federated identity. Flag any with privileges unused in the past 90 days. Run this against AWS IAM, Azure Entra ID, and Google Cloud IAM simultaneously - threat actors do.
- Week 3
SaaS MFA enforcement audit
For every SaaS tenant (Snowflake, Salesforce, Atlassian, GitHub, Okta), confirm MFA is enforced, not just "available". Confirm there is no SSO bypass for emergency accounts in actual use.
- Week 6
OAuth application review
Audit every third-party OAuth app granted directory-wide or mailbox-read permissions. Revoke any unused since the audit baseline. This is the Midnight Blizzard control specifically.
- Week 9
Cross-account / cross-tenant trust review
Map every assume-role chain and every cross-tenant federation. Require MFA for cross-account. Time-bound any chain longer than two hops.
- Week 12
Re-test & document
Run the same scan you ran in week 1. The delta is your evidence. File it with the next quarter's plan.
2024's cloud incidents weren't sophisticated. They didn't use zero-days. They used credentials that were sitting in infostealer logs and OAuth tokens that hadn't been rotated. The vendor wasn't going to breach you. The misconfiguration in your half of the matrix did.
- Staatse cloud-engagement retrospective, 2024
Key takeaways
- The 2024 cloud incident pattern is overwhelmingly credential-theft, not CVE-exploitation. MFA enforcement is the single highest-leverage control.
- The Snowflake campaign (165+ customers) was preventable on every affected tenant by enforcing MFA - this is the case study to use with your board.
- Token rotation after a vendor incident must be complete - the Cloudflare case shows partial rotation is the attacker's foothold.
- The "stolen credential to cloud breach" path is a 5-minute attack chain. Your detection cadence has to assume that timeline.
Closing
If you want a focused review against these eight specifically, we run a fixed-scope cloud-identity-and-segmentation engagement that lands in two weeks. Get in touch. The cloud penetration testing service page has the engagement structure and what you get.
References & further reading
- MandiantUNC5537 targets Snowflake customer instances for data theft and extortion
- Microsoft Security Response CenterMidnight Blizzard: Guidance for responders on nation-state attack
- AT&TAT&T notification: data specific to wireless customers
- AnyDeskPublic statement on cyber-security incident
- CloudflareThanksgiving 2023 security incident
- Verizon2024 Data Breach Investigations Report (DBIR)
- IBM SecurityCost of a Data Breach Report 2024
- Wiz ResearchState of the cloud 2024