{
	"id": "4bfe9b00-666e-4786-a593-ed0998730b97",
	"created_at": "2026-04-06T00:09:55.587224Z",
	"updated_at": "2026-04-10T13:12:56.923734Z",
	"deleted_at": null,
	"sha1_hash": "06bcf0ce0ce19ceb4df9466a81b53571988de910",
	"title": "Pure Storage confirms data breach after Snowflake account hack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3012245,
	"plain_text": "Pure Storage confirms data breach after Snowflake account hack\r\nBy Sergiu Gatlan\r\nPublished: 2024-06-11 · Archived: 2026-04-05 21:51:39 UTC\r\nPure Storage, a leading provider of cloud storage systems and services, confirmed on Monday that attackers breached its\r\nSnowflake workspace and gained access to what the company describes as telemetry information.\r\nWhile the exposed information also included customer names, usernames, and email addresses, it did not contain credentials\r\nfor array access or any other data stored on customer systems.\r\n\"Following a thorough investigation, Pure Storage has confirmed and addressed a security incident involving a third party\r\nthat had temporarily gained unauthorized access to a single Snowflake data analytics workspace,\" the storage company said.\r\nhttps://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"The workspace contained telemetry information that Pure uses to provide proactive customer support services. That\r\ninformation includes company names, LDAP usernames, email addresses, and the Purity software release version number.\"\r\nPure took measures to prevent further unauthorized access to its Snowflake workspace and has yet to find evidence of\r\nmalicious activity on other parts of its customer infrastructure.\r\n\"We are currently in contact with customers who similarly have not detected unusual activity targeting their Pure systems,\"\r\nthe company added.\r\nMore than 11,000 customers use Pure Storage's data storage platform, including high-profile companies and organizations\r\nlike Meta, Ford, JP Morgan, NASA, NTT, AutoNation, Equinix, and Comcast.\r\nAt least 165 orgs likely impacted by Snowflake attacks\r\nIn a joint advisory with Mandiant and CrowdStrike, Snowflake revealed that attackers use stolen customer credentials to\r\ntarget accounts lacking multi-factor authentication protection.\r\nMandiant also linked the Snowflake attacks to a financially motivated threat actor tracked as UNC5537 since May 2024.\r\nThe malicious actor gains access to Snowflake customer accounts using customer credentials stolen in historical infostealer\r\nmalware infections dating back to 2020, targeting hundreds of organizations worldwide and extorting victims for financial\r\ngain.\r\n\"The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication\r\nonly required a valid username and password,\" Mandiant said.\r\n\"Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not\r\nbeen rotated or updated. The impacted Snowflake customer instances did not have network allow lists in place to only allow\r\naccess from trusted locations.\"\r\nUNC5537 Snowflake attack timeline (Mandiant)\r\nSo far, the cybersecurity company has identified hundreds of customer Snowflake credentials exposed in Vidar, RisePro,\r\nRedline, Racoon Stealer, Lumm, and Metastealer infostealer malware attacks.\r\nSnowflake and Mandiant have already notified around 165 organizations potentially exposed to these ongoing attacks.\r\nWhile Mandiant has not disclosed much information about UNC5537, BleepingComputer has learned that they are part of a\r\nlarger community of threat actors who frequently visit the same websites, Telegram and Discord servers, where they\r\nregularly collaborate on attacks.\r\nRecent breaches at Santander, Ticketmaster, and QuoteWizard/LendingTree have also been linked to these ongoing\r\nSnowflake attacks. Ticketmaster's parent company, Live Nation, confirmed that a data breach affected the ticketing firmafter\r\nits Snowflake account was compromised on May 20.\r\nhttps://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/\r\nPage 3 of 4\n\nA threat actor is now selling 3TB of data from automotive aftermarket parts provider Advance Auto Parts, allegedly\r\nincluding 380 million customer profiles and 44 million Loyalty / Gas card numbers (with customer details), stolen after the\r\ncompany's Snowflake account was breached.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/\r\nhttps://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/pure-storage-confirms-data-breach-after-snowflake-account-hack/"
	],
	"report_names": [
		"pure-storage-confirms-data-breach-after-snowflake-account-hack"
	],
	"threat_actors": [
		{
			"id": "358432a9-d927-43c7-9201-b7aa7d184c26",
			"created_at": "2024-06-20T02:02:10.317536Z",
			"updated_at": "2026-04-10T02:00:05.043265Z",
			"deleted_at": null,
			"main_name": "UNC5537",
			"aliases": [],
			"source_name": "ETDA:UNC5537",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c3c24777-7c0f-4772-b273-2163ac5a6b67",
			"created_at": "2024-06-19T02:00:04.373472Z",
			"updated_at": "2026-04-10T02:00:03.651748Z",
			"deleted_at": null,
			"main_name": "UNC5537",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC5537",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434195,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/06bcf0ce0ce19ceb4df9466a81b53571988de910.pdf",
		"text": "https://archive.orkl.eu/06bcf0ce0ce19ceb4df9466a81b53571988de910.txt",
		"img": "https://archive.orkl.eu/06bcf0ce0ce19ceb4df9466a81b53571988de910.jpg"
	}
}