Pure Storage Announces Data Breach via Snowflake Account Hack

• Another Snowflake customer comes forth with a data breach disclosure.
• Cloud storage company Pure Storage announced unauthorized third-party access to its Snowflake environment.
• The exposed database allegedly contained only telemetry information.

Cloud storage systems and services provider Pure Storage has confirmed and addressed a data breach involving an unauthorized third party that had temporary access to one of the company’s Snowflake accounts. The security incident exposed a Snowflake data analytics workspace with telemetry information for customer support services. 

Pure Storage said the database does not store passwords for array access or “any of the data that is stored on the customer systems” but includes LDAP usernames, email addresses, company names, and the Purity software release version number, which the cloud storage provider says “cannot be used to gain unauthorized access to customer systems.”

The announcement mentions that the firm took immediate action to block any further unauthorized access and engaged “a leading cybersecurity firm” to help. The investigation yielded no evidence of unusual activity on other elements of the Pure Storage infrastructure and its customers’ systems.

The data theft incident affecting cloud data company Snowflake customers has been attributed to the UNC5537 threat actor. This actor operates under various aliases on Telegram channels and cybercrime forums and has frequently targeted hundreds of organizations worldwide for extortion.

Incident response firm Mandiant says approximately 165 companies may have had their data stolen through the use of leaked credentials of Snowflake customer accounts without multi-factor authentication (MFA) exposed via several info-stealer malware variants. MFA is not mandatory nor default for Snowflake user accounts.

The earliest info-stealer infection date observed associated with credentials leveraged by the threat actor is November 2020, and hundreds of Snowflake customer credentials have been exposed via info-stealers since then, including Ticketmaster, Santander Bank, and LendingTree subsidiary QuoteWizard.