Pure Storage, a provider of cloud storage systems and services, has confirmed and addressed a security incident involving unauthorized access to one of its Snowflake data analytics workspaces. This workspace contained telemetry information used by Pure Storage to provide proactive customer support services. The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
Importantly, no sensitive information like credentials for array access or any other data stored on customer systems was compromised.
“Such information is never and can never be communicated outside of the array itself, and is not part of any telemetry information. Telemetry information cannot be used to gain unauthorized access to customer systems,” stated Pure Storage in an official statement.
Pure Storage Data Breach: Investigation Ongoing
Upon knowing about the cybersecurity incident, Pure Storage took immediate action to block any further unauthorized access to the workspace. The company emphasized that no unusual activity has been detected on other elements of its infrastructure.
“We see no evidence of unusual activity on other elements of the Pure infrastructure. Pure is monitoring our customers’ systems and has not found any unusual activity. We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems,” reads the official statement.
Preliminary findings from a cybersecurity firm engaged by Pure Storage support the company’s conclusions about the nature of the exposed information.
Pure Storage simplifies data storage with a cloud experience that empowers organizations to maximize their data while reducing the complexity and cost of managing the infrastructure behind it. Thousands of customers, including high-profile companies like Meta, Ford, JP Morgan, NASA, NTT, AutoNation, Equinix, and Comcast, use Pure Storage’s data storage platform.
Context of Recent Snowflake Cybersecurity Incidents
Before the Pure Storage data breach, Advance Auto Parts, Inc., a significant provider of automobile aftermarket components, allegedly suffered a massive data breach. A threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of three terabytes of data from the company’s Snowflake cloud storage, which is reportedly being sold for $1.5 million.
Live Nation, the parent company of Ticketmaster, also confirmed “unauthorized activity” on its database hosted by Snowflake, a Boston-based cloud storage and analytics company.
In a joint advisory with Mandiant and CrowdStrike, Snowflake revealed that attackers used stolen customer credentials to target accounts lacking multi-factor authentication protection. Mandiant linked these attacks to a financially motivated threat actor tracked as UNC5537 since May 2024.
This malicious actor gains access to Snowflake customer accounts using credentials stolen in historical infostealer malware infections dating back to 2020. These cyberattacks have targeted hundreds of organizations worldwide, extorting victims for financial gain.
So far, the cybersecurity firm has identified hundreds of customer Snowflake credentials exposed in Vidar, RisePro, Redline, Racoon Stealer, Lumm, and Metastealer malware attacks. Snowflake and Mandiant have notified around 165 organizations potentially exposed to these ongoing cyberattacks.
