Pure Storage is the latest company to confirm it's a victim of mounting Snowflake-related data breaches.

A security bulletin published to its support page on Tuesday said the incident has been confirmed and addressed. It emphasized strongly that no customer data was compromised.

The all-flash storage vendor said it was just a single Snowflake data analytics workspace that was compromised, but did not specify how exactly the breach occurred.

According to Mandiant's report on the situation, which was published on Monday, the common factor observed by its incident responders in all these breaches was the lack of MFA (Multi-Factor Authentication). This doesn't necessarily mean this was the case in Pure's situation, of course. We have asked the company to comment.

Mandiant's report also said the number of organizations breached as a result of Snowflake credentials being hoovered up by the crew known as UNC5537 stood at 165 as of Monday. It isn't clear if Pure Storage was one of them or adds to that number today.

The breached workspace belonging to Pure Storage contained "telemetry information" used to provide customer support services, the vendor said in the bulletin.

"That information includes company names, LDAP usernames, email addresses, and the Purity software release version number," it added.

"The workspace did not include compromising information such as passwords for array access, or any of the data that is stored on the customer systems. Such information is never and can never be communicated outside of the array itself, and is not part of any telemetry information. Telemetry information cannot be used to gain unauthorized access to customer systems."

Pure said this was the only unusual activity it detected and its wider infrastructure remains unscathed. It also said it's continuing to monitor customers' systems and equally hasn't found anything of concern. 

"Preliminary findings from a leading cybersecurity firm we engaged also validates the conclusion we reached regarding the information in the workspace. Pure Storage remains fully committed to providing timely and transparent updates to our customers and we will continue to monitor this situation and use this forum for important updates."

According to Mandiant's assessment, UNC5537 has been gathering Snowflake credentials from previous infostealer dumps, some dating back to 2020.

It's being treated as the leading cause of Snowflake-related breaches - it appears from the most recent data that around 80 percent of all affected organizations had their valid credentials exposed before being breached.

Hudson Rock was the first to draw attention to the spate of breaches at Snowflake customers. Its report on the matter was yanked offline after Snowflake's lawyers waded in citing inaccuracies, namely regarding Hudson Rock's assessment that a Snowflake staffer's account was compromised and used to exfiltrate customer data.

With all eyes on Snowflake, especially after many initially believed it to be responsible for the massive Ticketmaster and Santander breaches, it turned out to be incorrect. CEO Brad Smith said a former employee's account was pwned, but these were only used to access demo accounts that offer attackers nothing.

Smith was also the first to say that the "limited" number of customers that were breached were all using single-factor authentication - a big security no-no in 2024.

After dispelling any ideas that digital marauders ransacked its own infrastructure in any meaningful way, Snowflake had to make it very clear in its following comms that there was absolutely no compromise at the company itself. ®

https://www.theregister.com//2024/06/11/pure_storage_snowflake_breach/