Pure Storage says attackers broke into a Snowflake environment

But no sensitive data was compromised

Cloud storage provider Pure Storage has disclosed that attackers infiltrated a specific data workspace on Snowflake, gaining access to some customer information.

The company confirmed the incident in a security bulletin, assuring customers that no sensitive data was compromised.

The breach involved unauthorised access to a Snowflake cloud workspace containing "telemetry information" used for customer support, such as company names, LDAP usernames, email addresses and the Purity software release version numbers.

However, the breached workspace did not contain critical information like passwords for array access or any stored customer data, according to the company.

"Such information is never and can never be communicated outside of the array itself, and is not part of any telemetry information. Telemetry information cannot be used to gain unauthorised access to customer systems," Pure Storage said.

It refrained from disclosing how attackers infiltrated the workspace, but noted it was an isolated incident.

The company claims to have taken immediate action to secure their Snowflake environment and said they found no evidence of any unusual activity within their broader infrastructure.

"Pure is monitoring our customers' systems and has not found any unusual activity. We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems," it added.

The company is working with a leading cybersecurity firm, and says initial data "validates the conclusion we reached regarding the information in the workspace."

"Pure Storage remains fully committed to providing timely and transparent updates to our customers and we will continue to monitor this situation and use this forum for important updates."

More than 11,000 organisations, including Meta and Ford, use Pure Storage's data platform.

The incident is part of a larger attack campaign targeting Snowflake users. Security firm Mandiant has identified 165 organisations potentially exposed in these attacks.

Mandiant linked these attacks to a financially motivated threat actor UNC5537, who has been active since May 2024. UNC5537 leverages historical data breaches dating back to 2020, utilising stolen credentials from infostealer malware to infiltrate Snowflake accounts.

Mandiant has clarified that attackers are not directly breaching Snowflake's environment. Instead, they are exploiting stolen credentials to target individual customer accounts that lack multi-factor authentication.

Mandiant's analysis suggests 80% of affected organisations likely had compromised credentials before the Snowflake breaches.

The cybersecurity firm has identified hundreds of exposed Snowflake credentials linked to various infostealer malware strains, including Vidar, Redline, Lumm, Racoon Stealer and Metastealer.

"Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not been rotated or updated. The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations."

Recent breaches at Santander and Ticketmaster have also been linked to ongoing Snowflake attacks.

Snowflake has denied any vulnerability in its system, insisting that the breaches have resulted from poorly secured customer accounts.