Ticketmaster recently confirmed a data breach that exposed the personal information of millions of customers worldwide. The attack targeted a cloud database hosted by Snowflake, a data warehousing platform, between April 2nd and May 18th, 2024. While Ticketmaster initially claimed the breach only impacted a limited number of users (around 1,000 according to their SEC filing), the true scope appears to be significantly larger.

A hacking group known as ShinyHunters claimed to possess stolen data from Ticketmaster containing information for a staggering 560 million users. This data, allegedly 1.3 terabytes in size, was offered for sale on a hacking forum for $500,000. The information reportedly included:

• Personal details: Names, contact information (phone numbers, email addresses)
• Ticket information: Ticket sales history, event details
• Financial information (potential): Hashed credit card details, payment amounts (depending on the user)
• Other: Customer fraud data (unspecified)

This discrepancy between Ticketmaster’s initial statement and the scale of the breach revealed by independent investigations has raised concerns about the company’s handling of the situation. Security experts criticize Ticketmaster for downplaying the severity of the incident and potentially underestimating the amount of data exposed.

In response to the breach, Ticketmaster is offering affected customers one year of free credit monitoring to help them track their credit history and mitigate the risk of identity theft. However, this offer does little to address the underlying issue of how the breach occurred.

The incident highlights the vulnerability of cloud-based platforms and underscores the critical need for robust cybersecurity practices, particularly for companies entrusted with sensitive user information. The attackers exploited compromised Ticketmaster credentials that lacked multi-factor authentication to gain access to the Snowflake database. Implementing multi-factor authentication can significantly reduce the risk of unauthorized access to online accounts.

Further details emerged about the scope of the breach, contradicting Ticketmaster’s initial claims. Samples of the data seen by security researchers at BleepingComputer revealed it contained more than just “basic contact information.” The exposed data reportedly included sensitive details such as:

• Full names
• Email addresses
• Phone numbers
• Physical addresses
• Hashed credit card details (for some users)
• Payment amounts (for some users)

This paints a far more concerning picture than Ticketmaster’s initial downplaying of the incident. After days of silence, Ticketmaster finally confirmed the breach in a Friday evening SEC filing on May 31st. However, they downplayed its significance, stating they did not believe it would have a “material impact” on their company.

The Ticketmaster breach is just one example of a larger trend. A joint investigation by Snowflake, Mandiant, and CrowdStrike revealed a concerning vulnerability in the Snowflake database platform. A threat actor, tracked as UNC5537, exploited compromised customer credentials to target at least 165 organizations. These organizations, like Ticketmaster, had failed to configure multi-factor authentication (MFA) protection on their accounts, leaving them vulnerable to attack. The attackers used credentials stolen by information-stealing malware infections dating back to 2020, highlighting the importance of keeping software and security measures up-to-date.

For users impacted by the breach, staying vigilant against identity theft attempts is crucial. Consider placing a temporary freeze on your credit report to prevent unauthorized access to new lines of credit. Additionally, be wary of phishing emails or calls that may attempt to exploit the breach by impersonating Ticketmaster or other official entities.

A data breach notification filed with the Maine Attorney General’s office reveals that unauthorized access was gained to a Ticketmaster database hosted by a separate cloud storage provider.