After Satander, Ticketmaster, and Advance Auto Part Data Breaches, Pure Storage Has Also Confirmed Data Breach Caused by Snowflake Account Hack.
What Happened in the Pure Storage Data Breach?
Storage leader Pure Storage recently confirmed a security incident where an unauthorised third-party gained temporary access to one of their Snowflake data analytics workspaces. The exposed workspace contained telemetry information that Pure Storage uses to provide proactive customer support, including customer names, usernames, email addresses, and the Purity software release version number.
Pure Storage immediately took measures to prevent any further unauthorised access to the compromised Snowflake workspace. Their investigation found no evidence of malicious activity on other parts of their customer infrastructure. The company is in contact with customers, who also reported no unusual activity targeting their Pure systems.
Mandiant Links Snowflake Account Hack to UNC5537
In a joint advisory, Snowflake revealed with cybersecurity firms Mandiant and CrowdStrike that the attackers were exploiting stolen customer credentials lacking multi-factor authentication to target accounts. Mandiant linked the attacks to the financially-motivated threat actor UNC5537 active since May 2024.
UNC5537 is utilizing credentials extracted from longstanding malware infections dating back to 2020. Hundreds of organisations worldwide have been affected. Successful authentication to the impacted Snowflake accounts only required valid usernames and passwords, as MFA was not enabled. Stored credentials remained valid for authentication even years after the original theft.
Mandiant has identified over hundreds of exposed Snowflake customer credentials leaked from past Vidar, RisePro, Redline, Racoon Stealer, Lumm and Metastealer ransomware. Around 165 organisations have been notified of potential compromise resulting from these ongoing account hacks.
Related Data Breaches Traced to Snowflake Credential Theft
Recent major breaches at companies including Santander bank, Live Nation-owned Ticketmaster and automotive parts provider Advance Auto Parts have been connected to this Snowflake credentials theft. Ticketmaster confirmed a breach in May after a 3TB cache of its data was silently offered for sale by UNC5537, containing user details from its compromised Snowflake account.
The Pure Storage data breach and follow-up investigation reveals the far-reaching impacts of unencrypted credential theft and lack of MFA. Proper access controls and security best practices such as regular password rotation could have prevented these interconnected breaches and reduced the blast radius of the Snowflake account hacks. Organisations must also be vigilant and prepared to respond swiftly to contain any incidents.