Pure Storage is the latest in a growing list of Snowflake breach victims

Pure Storage logo and branding pictured on a sign outside the company's office in Mountain View, California.
(Image credit: Getty Images)

Pure Storage systems were compromised as a result of the recent Snowflake data breach, the company has confirmed in a public security bulletin.

According to the bulletin, Pure Storage addressed an incident involving unauthorized third-party access to a “single Snowflake data analytics workspace” which contained personal information.

Specifically, the workspace contained telemetry the storage provider uses to deliver customer support services, such as company names, Lightweight Directory Access Protocol (LDAP) usernames, email addresses, and software version numbers. 

Pure Storage emphasized that no “compromising” information was breached, such as passwords or data on customer systems. This sort of information “is never and can never be communicated outside of the array itself, and is not part of any telemetry information”.

The firm also assured customers that telemetry information cannot be used to gain unauthorized access to customer systems.  

Pure Storage said it took immediate action to prevent further unauthorized access and has seen no other evidence of unusual activity across its systems. It has not found any unusual activity in customer systems either.

According to findings from a “leading cyber security firm” that Pure has engaged with, the firm’s conclusions have been validated.

“Pure Storage remains fully committed to providing timely and transparent updates to our customers and we will continue to monitor this situation and use this forum for important updates,” the firm said.

Pure Storage may be one of hundreds of victims

Following two big name data breaches at Ticketmaster and Santander, various reports have traced these issues to an incident at Snowflake, pointing towards credential stuffing techniques used to gain access to Snowflake’s database.

This has sparked a heated exchange, with Snowflake CISO Brad Jones blaming the inadequately secured environments of its customers rather than a specific vulnerability in the Snowflake platform. 

Cyber security firm Mandiant has since stated that a threat actor tracked as UNC5537 is “suspected to have stolen a significant volume of records from Snowflake customer environments”.

To be specific, Mandiant and Snowflake have notified around 165 potential victims of the breach, with both firms now conducting a joint investigation with various law enforcement agencies. 


Notably, Madniant’s investigation did not find evidence to suggest that the breach of Snowflake customer accounts stemmed from issues in Snowflake's enterprise environment.

“Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials,” Mandiant said. 

The firm explained that a single Snowflake instance had been compromised by a threat actor using stolen credentials, thus allowing said threat actor to access “valuable data” in this particular customer’s Snowflake environment. 

George Fitzmaurice
Staff Writer

George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.