In a significant breach, nearly 39,000 TicketFast print-at-home tickets for 154 events have been leaked by hackers in an ongoing extortion campaign against Ticketmaster. The leaked tickets include upcoming concerts for major artists such as Pearl Jam, Phish, Tate McRae, and Foo Fighters. This breach is part of a broader attack by the threat actor group ‘Sp1derHunters,’ who have been selling data stolen from Snowflake accounts.

Since April, threat actors have been exploiting stolen credentials to download Snowflake databases from at least 165 organizations. By May, the notorious hacker group ShinyHunters began selling data allegedly containing information on 560 million Ticketmaster customers, which was also stolen from Snowflake. Ticketmaster confirmed this breach, revealing that hackers demanded $500,000 to prevent the data from being leaked or sold further.

Technical Details of the Data Breach

Recently, Sp1derHunters escalated their campaign by leaking 166,000 Taylor Swift ticket barcodes, raising their extortion demand to $2 million. Ticketmaster responded by emphasizing the robustness of their anti-fraud measures, specifically their SafeTix technology, which refreshes mobile ticket barcodes every few seconds. “Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied,” Ticketmaster stated to BleepingComputer.

However, Sp1derHunters countered by releasing print-at-home tickets whose barcodes cannot be rotated. They posted on a hacking forum that Ticketmaster was misleading the public about the effectiveness of their barcode security. “Physical ticket types like TicketFast, e-ticket, and mail cannot be automatically refreshed,” they claimed, sharing a CSV file with barcode data for 38,745 TicketFast tickets.

Implications for Affected Parties

The leaked data impacts a wide array of events, including concerts by Aerosmith, Alanis Morissette, Billy Joel & Sting, Bruce Springsteen, Carrie Underwood, Cirque du Soleil, Dave Matthews Band, Foo Fighters, Metallica, Pearl Jam, Phish, P!NK, Red Hot Chili Peppers, Stevie Nicks, STING, Tate McRae, and $uicideboy$. Users opting for TicketFast delivery receive their tickets as PDFs via email, which they can print out and use for entry.

Since these are not mobile tickets, the threat actors assert that Ticketmaster’s current anti-fraud mechanisms are ineffective for these types. Instead, Ticketmaster would need to void and reissue the tickets to affected customers. The hackers even provided a guide on converting the leaked ticket data into scannable barcodes, facilitating the creation of counterfeit tickets using TicketFast templates.

This incident is part of a larger wave of attacks targeting Snowflake accounts, with Sp1derHunters previously attempting to extort companies like Neiman Marcus, Los Angeles Unified School District, Advance Auto Parts, Pure Storage, and Santander. These breaches underscore the importance of robust security measures and vigilance in protecting sensitive customer data.

This ongoing extortion campaign against Ticketmaster highlights the vulnerabilities in handling digital and physical ticket types. The precise and detailed information about the nature of the breach, methods used by threat actors, and the response from Ticketmaster is crucial for cybersecurity professionals, IT security teams, event organizers, and Ticketmaster customers. It serves as a stark reminder of the ever-evolving threats in the digital landscape and the need for advanced security measures to protect against such breaches.