Data storage company Pure Storage identified itself as an initial target in cyber attacks linked to Snowflake, a prominent cloud-based data platform.
In a recent turn of events, Pure Storage has confirmed that it has been impacted by a series of identity-based attacks targeting Snowflake customer databases. The cybercriminal group responsible for these attacks has been identified as Scattered Spider, a group known for gaining access to Snowflake accounts primarily through social engineering tactics.
The attack on Pure Storage was limited to a single Snowflake data analytics workspace. Exposed information includes company names, Lightweight Directory Access Protocol (LDAP) usernames, email addresses, and Purity software release version numbers. However, it's important to note that the data analytics workspace did not include compromising information such as passwords for array access or any of the data that is stored on the customer systems.
Pure Storage took immediate action to block further unauthorized access to the workspace. The company plans to continue monitoring the situation and will provide timely, important updates as it learns more. Unfortunately, the company was not immediately available for comment regarding the breach.
The attacks entered the systems through stolen credentials obtained from multiple infostealer malware infections on non-Snowflake owned systems. Stolen credentials for customer systems unprotected by Multi-Factor Authentication (MFA) were identified as the cause of the attacks. The attacks were not caused by a vulnerability, misconfiguration, or breach of Snowflake's systems.
It's worth noting that Pure Storage is the first Snowflake customer to publicly confirm being impacted by these attacks. Snowflake and Mandiant have notified approximately 165 potentially exposed customers, but the number of Snowflake customers affected by the attacks is at least 100. Snowflake has not identified any of its customers impacted by the attacks.
The attacks on various companies span large organizations in sectors like retail, insurance, and airlines. Given the scale and rapid data exfiltration tactics described, it implies a significant but unspecified portion of Snowflake’s customer base has been affected.
After these incidents, Snowflake announced measures such as blocking single sign-on access and enforcing MFA starting August 2025 to mitigate these attacks. The group also exploits communication platforms like Slack, Microsoft Teams, and Microsoft Exchange Online within targeted organizations to monitor and evade detection during their intrusions.
Pure Storage urges all its customers to ensure their accounts are configured with MFA to strengthen their security posture. The company will continue to work closely with Snowflake and other cybersecurity firms to address this issue and protect its customers' data.
[1] Source: [Link to the first source] [2] Source: [Link to the second source] [3] Source: [Link to the third source]
- Pure Storage's incident response team is currently addressing a breach that occurred due to stolen credentials from infostealer malware infections on non-Snowflake systems, not from any vulnerability or misconfiguration in Snowflake's systems.
- The Scattered Spider cybercriminal group, known for social engineering tactics, is responsible for the identity-based attacks targeting Snowflake customer databases, including Pure Storage's workspace.
- Pure Storage's exposed data includes company names, LDAP usernames, email addresses, and Purity software release version numbers but does not include compromising information such as passwords for array access or customer system data.
- After these incidents, Snowflake has announced measures such as blocking single sign-on access and enforcing Multi-Factor Authentication (MFA) starting August 2025 to bolster cybersecurity and protect data-and-cloud-computing services, specifically from the tactics employed by Scattered Spider.
