Miscreants claim they've snatched 560M people's info from Ticketmaster
All that data allegedly going for a song on revived BreachForums
Updated Ticketmaster is believed to have had its IT breached by cybercriminals who claim to have stolen 1.3TB of data on 560 million of the corporation's customers – and are now selling all that info for $500,000.
On Wednesday, Australia's Department of Home Affairs told The Register that government, at least, is "aware of a cyber incident impacting Ticketmaster," and that the "National Office of Cyber Security is engaging with Ticketmaster to understand the incident."
The records allegedly swiped from Ticketmaster include customers' names, email addresses, phone numbers, and physical addresses, as well as order info and credit card details — specifically, the last four digits of the cards plus names and expiration dates.
California-based Ticketmaster did not respond to The Register's inquiries about the claimed security breach, including when the data would have been stolen — and what, if anything, happened in the claimed heist and its aftermath.
A group of one or more miscreants using the handle ShinyHunters put the purportedly stolen Ticketmaster files up for sale on an underworld forum, and said the data included "customer fraud details" and "much more." To be clear: The Register has not verified the alleged customer database dump.
According to infosec watchers at VX-Underground, ShinyHunters quite possibly did not steal the data and are instead peddling it on behalf of the actual thieves. The records appear to go back to 2011, if not the 2000s, we're told.
"Whether the dataset is real and, if it is, where and when it was obtained are both unclear," noted Emsisoft threat analyst Brett Callow, who shared a screenshot of ShinyHunters' for-sale notice on Tuesday. This was before the Australian government confirmed there was at least a "cyber incident" affecting Ticketmaster.
The purported Ticketmaster data went on sale on Tuesday on the now-revived BreachForums, which declares the ShinyHunters crew as its administrator.
ShinyHunters was one of two previous BreachForums administrators, before police shut down an earlier incarnation of the notorious marketplace for stolen data and reportedly cuffed the other suspected admin two weeks ago. ShinyHunters told DataBreaches it did contact Ticketmaster before offering the customer data for sale, and claimed the biz never opened the message nor responded to it.
- BreachForums returns just weeks after FBI-led takedown
- Uncle Sam's had enough of Live Nation and Ticketmaster, sues to end monopoly
- Live Nation CFO on Taylor Swift ticket chaos: Don't blame me, bots made me crazy
- 2.8M US folks learn their personal info was swiped months ago in Sav-Rx IT heist
This is the same crew of miscreants who bragged about stealing private info belonging to 70 million AT&T customers in August 2021 before trying to sell it for $1 million.
If it's legit, the Ticketmaster data dump comes at an especially bad time for the corporation, which is owned by Live Nation Entertainment.
Last week, the US Department of Justice along with 30 state and district attorneys general, sued the entertainment giant for its allegedly anti-competitive business practices, and "monopolistic control over the live events industry."
Plus, fans are still unhappy with the ticket giant over last November's bot fiasco, which broke the Ticketmaster website and forced it to cancel its general sale of Taylor Swift concert tickets. The Swifties were not pleased.
Ani Chaudhuri, co-founder and CEO of data security firm Dasera, told The Register the long-term impact to Ticketmaster's reputation and customer trust could be "profound," following the latest breach accusations.
"To regain credibility, Ticketmaster should be transparent about the breach, its impact, and the steps to prevent future incidents," Chaudhuri said, suggesting a full-blown review and overhaul of its security infrastructure. ®
Updated to add on May 31
Ticketmaster's parent Live Nation has just told the SEC it "identified unauthorized activity within a third-party cloud database environment containing company data and launched an investigation with industry-leading forensic investigators to understand what happened."
"On May 27, 2024," the corporation continued, "a criminal threat actor offered what it alleged to be company user data for sale via the dark web. We are working to mitigate risk to our users and the company, and have notified and are cooperating with law enforcement.
"As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information."
Now read: Snowflake denies miscreants melted its security to steal data from top customers