Pure Storage is the latest company to confirm that it is suffering from increasing Snowflake-related data breaches.
A security bulletin published on the support page on Tuesday said the incident has been confirmed and addressed. It was strongly emphasized that no customer data had been compromised.
The all-flash storage vendor said it was only one Snowflake data analytics workspace that was compromised, but did not specify how exactly the breach occurred.
According to Mandiant’s report on the situation, published on Monday, the common factor observed by incident responders across all these breaches was the lack of MFA (Multi-Factor Authentication). Of course, this does not necessarily mean that this was the case in Pure’s situation. We have asked the company for comment.
Mandiant’s report also states that the number of organizations breached as a result of the crew’s sucking of the Snowflake data, known as UNC5537, stood at 165 as of Monday. It’s not clear if Pure Storage was one of them or is adding to that number today.
Pure Storage’s hacked workspace contained “telemetry information” used to provide customer support, the vendor said in the bulletin.
“That information includes company names, LDAP usernames, email addresses, and the Purity software version number,” it added.
“The workspace did not contain any compromising information, such as passwords to access the array, or the data stored on the customer’s systems. Such information cannot and should never be communicated outside the array itself, and is not part of any telemetry Telemetry information cannot be used to gain unauthorized access to customer systems.”
Pure said this was the only unusual activity it detected and that wider infrastructure remains unscathed. It also said it continues to monitor customers’ systems and has also found nothing concerning.
“The preliminary findings from a leading cybersecurity firm we engaged also confirm the conclusion we reached regarding workplace intelligence. Pure Storage remains fully committed to providing timely and transparent updates to our customers and we will continue to monitor this situation and use this forum for important updates.”
According to Mandiant’s assessment, UNC5537 has collected Snowflake credentials from previous infostealer dumps, some dating back to 2020.
It is considered the leading cause of Snowflake-related breaches. The latest data shows that approximately 80 percent of all affected organizations had valid credentials exposed before the breach occurred.
Hudson Rock was the first to draw attention to the wave of breaches among Snowflake customers. The report on the matter was taken offline after Snowflake’s lawyers cited inaccuracies, namely regarding Hudson Rock’s assessment that a Snowflake employee’s account was compromised and used to exfiltrate customer data.
With all eyes on Snowflake, especially after many initially believed it was responsible for the massive Ticketmaster and Santander breaches, this turned out to be incorrect. CEO Brad Smith said a former employee’s account was pwned, but these were only used to access demo accounts that offer nothing to attackers.
Smith was also the first to say that the “limited” number of customers who were hacked were all using single-factor authentication – a major security risk in 2024.
After debunking any notions that digital plunderers were in any meaningful way plundering its own infrastructure, Snowflake had to make it very clear in subsequent communications that there was absolutely no compromise at all at the company itself. ®