Malware
Pure Storage Reveals Data Breach Following Intense Snowflake Account Hack
Pure Storage has confirmed a data breach following the hacking of their Snowflake account. The incident exposed customer information, but the company assures no financial data was compromised. Discover how this attack highlights the need for organizations to prioritize cybersecurity measures and protect their user data.
Imagine this: you’re a company providing cloud storage systems and services to over 11,000 customers, including big names like Meta, Ford, and NASA. Then, one day, you find out that hackers have breached your security and gained access to some of your customers’ information. That’s exactly what happened to Pure Storage recently.
On Monday, Pure Storage confirmed that attackers had breached their Snowflake workspace, a cloud-based data analytics platform. The company stated that the breach exposed telemetry information, which includes customer names, usernames, and email addresses. However, they emphasized that the attackers did not gain access to any credentials for array access or data stored on customer systems.
“Following a thorough investigation, Pure Storage has confirmed and addressed a security incident involving a third party that had temporarily gained unauthorized access to a single Snowflake data analytics workspace,” the storage company said.
Since the breach, Pure has taken measures to prevent further unauthorized access to its Snowflake workspace. They have also been in contact with their customers and have not found any evidence of malicious activity targeting their systems.
Attackers target Snowflake accounts with stolen credentials
So, how did the attackers breach Pure Storage’s Snowflake workspace? According to a joint advisory by Mandiant and CrowdStrike, the attackers used stolen customer credentials to target Snowflake accounts that lacked multi-factor authentication protection.
Mandiant also linked the Snowflake attacks to a financially motivated threat actor known as UNC5537. They have been active since May 2024 and are responsible for targeting hundreds of organizations worldwide, extorting victims for financial gain.
The attackers gained access to Snowflake customer accounts using credentials stolen in historical infostealer malware infections dating back to 2020. Mandiant revealed that the impacted accounts did not have multi-factor authentication enabled, and in some cases, the stolen credentials were still valid years after they were initially stolen.
“The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations,” Mandiant said.
UNC5537’s Snowflake attack spree
Mandiant has so far identified hundreds of Snowflake customer credentials exposed in various infostealer malware attacks. Snowflake and Mandiant have notified approximately 165 organizations that could have been exposed to these ongoing attacks.
Not much information is publicly available about UNC5537, but we’ve learned that they are part of a larger community of threat actors who collaborate on attacks through websites, Telegram, and Discord servers.
Recent breaches at Santander, Ticketmaster, and QuoteWizard/LendingTree have also been linked to these ongoing Snowflake attacks. In fact, Ticketmaster’s parent company, Live Nation, confirmed a data breach after its Snowflake account was compromised on May 20.
Currently, a threat actor is selling 3TB of data from automotive aftermarket parts provider Advance Auto Parts. The data allegedly includes 380 million customer profiles and 44 million loyalty/gas card numbers with customer details, stolen after the company’s Snowflake account was breached.
Don’t be the next victim
The Pure Storage breach and other Snowflake attacks are a stark reminder of the importance of cybersecurity. With threat actors like UNC5537 continually targeting organizations, it’s crucial to stay informed and take proactive measures to protect your data and systems.
That’s where we come in. As IT Services experts, we are here to help you navigate the complex world of cybersecurity. Whether you need advice on implementing multi-factor authentication, setting up network allow lists, or just staying up-to-date on the latest threats, don’t hesitate to reach out to us.
Together, we can ensure that you’re well-equipped to face the ever-evolving landscape of cyber threats. So, contact us today and keep coming back to learn more about how you can protect your organization from attacks like these.