5 min Security

Ticketmaster reports cloud database breach to US stock market watchdog SEC

Ticketmaster reports cloud database breach to US stock market watchdog SEC

Update 01/06/2024—Live Nation, the company behind Ticketmaster, has reported a break-in on its systems to the US Securities and Exchange Commission (SEC). On 20 May, a threat actor allegedly accessed a Ticketmaster cloud database storing company data. The company said it subsequently launched an investigation in collaboration with outside experts. Ticketmaster and Live Nation did not comment further in the media.

In its report to watchdog SEC, Live Nation mentioned that a week after the unauthorised activity, on 27 May, a criminal actor offered the company’s user data for sale via the dark web. That presumably concerned the data of 560 million Ticketmaster customers that ShinyHunters wanted to offload for 500,000 dollars.

In its statement, Live Nation says it is doing all it can to mitigate the risks to users and the company and is cooperating with authorities. Further, the company says the incident had ‘no material impact’ on its operations or financial situation.

Snowflake: no evidence for vulnerability on our part

US cybersecurity specialist Hudson Rock claimed yesterday that the data was stolen from a Snowflake cloud database. The company had apparently spoken with an attacker behind the incident. Data was allegedly captured not only from Ticketmaster, but also from Spanish bank Santander and possibly many other customers. Santander has since publicly announced a data theft.

In response to Hudson Rock, Snowflake stated that the company had found no evidence that the activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform. Cybersecurity experts from CrowdStrike and Mandiant support these preliminary findings, Snowflake said.

According to Snowflake, this appears to be a specific campaign targeting users with single-factor authentication. Criminal actors allegedly used stolen or compromised customer login credentials.

However, the company further said that malicious parties did gain access to a demo account of a former Snowflake employee. According to Snowflake, this account contained no sensitive data and was not connected to Snowflake’s production or business systems. Access was possible because the account was not behind Okta or MFA, as opposed to Snowflake’s production systems. With this statement, the company seems to want to say that the compromised demo account cannot be the cause of the Ticketmaster data theft.

Hudson Rock’s blog post has since been removed, but can be found on archive here.

Update 30/05/2024 by Berry Zwets – The data of 560 million Ticketmaster users appears to have been obtained via AWS instances. In April, an undefined group had access to the instances.

So claims vx-underground, a platform knowledgeable about the cybercrime world. The website spoke to several people involved and concluded that, contrary to initial reports, ShinyHunters was not responsible for performing the attack. ShinyHunters, as an individual or group, was allegedly behind the auction of the data, however. Vx-underground, therefore, describes ShinyHunters as a proxy for the Threat Group actually behind the compromise of the data.

In addition, vx-underground obtained a sample after which it can state with great certainty that the data is legitimate. The data goes back to 2011. Vx-underground confirms that the data involved the full name, email address, address, phone number, credit card number (hashed), credit card type and authentication type, and all financial transactions of users. Of the financial information, vx-underground has not yet been able to verify the data.

Original 29/05/2024 – An individual or group known as ShinyHunters has allegedly captured the personal data of 560 million Ticketmaster customers. The more than 1.3 terabytes of stolen data include names and addresses, phone and order information, and partial credit card information. The data is for sale for 500,000 dollars (462,000 euros) on Breach Forums.

The partial credit card data includes the names of card owners, the last four digits of card numbers, expiration dates and, in some cases, whether fraud was ever attempted with the card itself.

People whose data has been stolen by ShinyHunters are now at risk of identity theft, fraud attempts and scams. According to the website Hackread, ShinyHunters has informed this site that they are trying to get in touch with Ticketmaster. The company reportedly has not yet responded. The data appeared on May 28 on Breach Forums, an online platform run by ShinyHunters themselves.

Australian broadcaster ABC reports that because many Ticketmaster users are in Australia, the company is working with the country’s Department of Home Affairs.

Data theft specialist

ShinyHunters is notorious for large-scale data theft in the past. In 2022, it leaked the data of 70 million customers of U.S. telecom provider AT&T. That same year, it also hacked the Indonesian e-commerce company Tokopedia. Earlier, it captured large amounts of customer data from Microsoft, photo app Pixlr and men’s clothing retailer Bonobos. It also stole the data of 40 million users of Wishbone, an app where users can express their preference for two similar products.

A salient detail is that Breach Forums, which has a presence on both the “regular” Internet and the dark web, was recently seized by the U.S. national police service FBI, yet suddenly resurfaced. The seizure happened in cooperation with other investigative authorities elsewhere in the world. The hackers apparently managed to wrest their domain back from the long arm of the law, presumably through a request to the domain registrar in Hong Kong. Incidentally, it could also be a honeypot, reports The Hacker News.

The group’s name refers to the popular Pokémon games. In those games, ‘shiny’ Pokémon are the rarest and most sought-after. Just as players of that game collect these virtual critters, ShinyHunters collects customer and user data.

Also read: MITRE hack went unnoticed through the use of rogue virtual machines