Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Ticketmaster. Show all posts

Stolen Customer Data from Ticketmaster Incident Resurfaces Online

 


Ticketmaster, one of the most prominent ticketing companies in the world, suffered a high-profile cyber-attack in May 2024 that affected the entire digital infrastructure of the company. The incident resulted in the unauthorised exposure of vast amounts of customer data, including personal information and payment details, placing millions of people at risk of harm. There was no doubt that security experts had linked the breach to ShinyHunters, a notorious hacker group known for its involvement in several large-scale data breaches, as well as ransomware attacks. 

Initial investigations suggest that the attackers may have exploited vulnerabilities in cloud-based systems, which reflects the increasing trend for cybercriminals to target third-party platforms and storage systems. Public and regulatory scrutiny has increased as a result of the breach, drawing attention to the increasing frequency and sophistication of cyberattacks on major consumer-facing platforms. 

Ticketmaster's breach serves as a stark warning of the vulnerabilities still present in today's cloud-based digital landscape, as forensic analysis continues and containment efforts are made. This emphasises the need for comprehensive cybersecurity practices and proactive risk mitigation strategies, which are imperative to the success of businesses. As the cybersecurity community went into the weekend, renewed concerns erupted over the claims of a relatively new threat actor operating under the name Arkana Security, which raised alarming concerns. 

Ticketmaster data that was claimed to have just been stolen by a group known as extortion-focused group was reportedly listed on its dark web leak site for sale at over 569 gigabytes, which they claim was newly stolen data. This post, accompanied by screenshots showing internal file directories and database structures, immediately sparked speculation that another large-scale attack had compromised the systems of one of the world's most prominent ticketing platforms, as shown in the screenshots. 

It has been revealed that this misinformation campaign was a deliberate act of misinformation that led to the operation being uncovered. It turns out that cyber analysts have confirmed what initial fears of the public were that the data which is being circulated is not the result of a fresh compromise, but rather is a repackaged version of the same set of data which was exfiltrated during the large-scale attacks of 2024 Snowflake based on credentials.

Previously, these breaches were connected to the notorious ShinyHunters hacking group, which was known for orchestrating numerous coordinated attacks across multiple organisations by utilising weak or poorly managed cloud access credentials to re-activate and monetise previously leaked material.

By misleading potential buyers and reigniting public concern, Arkana Security appears to be trying to revive and monetise previously leaked material. Moreover, this development confirms that public data breaches certainly have a long-tail impact. This also supports the argument that cyber extortion groups are increasingly relying on disinformation and rebranding to prolong the shelf life of stolen assets, thereby making public the fact that data breaches are having a long-tail impact. 

As part of an official statement released by Ticketmaster, it was confirmed that an unauthorised user had accessed a cloud database hosted by a third-party data services provider in an attempt to gain access to it. According to the document submitted to the Maine Attorney General's office, the incident is described as an external system breach, which is explicitly defined as a hacking incident. Following their investigations into Ticketmaster's data, cybersecurity experts determined that Snowflake, a cloud-based data warehouse company that was hosting the data at the time of the intrusion, was the third-party provider responsible for hosting the data. 

The attackers, according to analysts, obtained access by using stolen Snowflake account credentials, which allowed them to access the Ticketmaster database laterally through the platform. These findings suggest that Snowflake's environment may have been compromised; however, Snowflake firmly denied that any platform-level vulnerabilities or misconfigurations led to the breach, asserting that the breach was not due to any weaknesses within its infrastructure. 

Ticketmaster suffered widespread damage from the incident that went well beyond the technical compromise, causing widespread damage across a wide range of aspects of its operations. Financial Repercussions Although the company has not released a public accounting of the financial impact, similar high-profile breaches in the past have shown that significant losses could result. Equifax's 2017 breach, which involved hundreds of millions of users, resulted in a historic $575 million settlement that was the result of similar legal proceedings and regulatory scrutiny, especially given the size and sensitivity of the breached data. 

As a comparison to Equifax's 2017 breach, Ticketmaster's costs could be comparable. Reputational Harm. With Ticketmaster's brand reputation being damaged by this breach, Ticketmaster suffered substantial damage to its brand image. In the aftermath of that breach, the media began to focus on it, sparking a public debate about how such a dominant player in the digital entertainment ecosystem could be so vulnerable. Legal Consequences. 

It was the affected consumers who initiated the class action lawsuit against Ticketmaster and Live Nation Entertainment Inc. after the breach occurred. There is a lawsuit claiming that Ticketmaster did not adopt and implement adequate cybersecurity measures, thereby not fulfilling its duty to protect customer information. According to legal experts, this case could set a precedent in cloud-related breaches involving third-party providers in which responsibility can be given to third parties. Employee Impact.

The breach has not been discussed in public by any Ticketmaster employees, but indirect indicators provide insight into internal sentiment. According to Glassdoor, with over a thousand reviews, the company holds an average rating of 3.9 out of 5, with 83% of employees indicating that they would recommend it to their friends if they were able to find out what was going on. Customer Fallout. In today's interconnected digital environment, where cyberattacks have a wide range of impacts, this multifaceted fallout illustrates just how widespread the consequences of a cyberattack are, where a single breach can impact users, employees, legal entities, and even public trust as a whole. 

As the Ticketmaster breach has grown in importance over the past several years, it has been connected to a wave of coordinated cyberattacks connected with the Snowflake credential compromise incident, which occurred in 2024. As a result of the series of intrusions, a wide range of high-profile organisations, including Santander, AT&T, Neiman Marcus, Advance Auto Parts, Pure Storage, Cylance, and even the Los Angeles Unified School District, were all affected.

There was a well-known cybercriminal organisation called ShinyHunters at the centre of these attacks, a well-known cybercriminal organisation with a long history of obtaining and utilising stolen data to make money for its own. In the investigation that followed, it was discovered that Snowflake, one of the most popular cloud data warehousing services available, was compromised with the credentials used to launch these attacks. 

Once these credentials had been acquired, they could be used to access cloud environments and exfiltrate large volumes of sensitive corporate data from unprotected or poorly monitored endpoints, which had been exploited by infostealer malware. Several ransoms were demanded from victims for the theft of their confidential information, forcing them to choose between paying ransoms or revealing their private information to the public. A high-profile and widely extorted entity was Ticketmaster out of all those that had been affected.

There was unauthorised access gained by the attackers to databases that contained personal user information as well as ticketing records, which were listed on underground forums shortly after being accessed by the attackers. Ticketmaster took action to rectify the situation in late May 2024, and by data protection regulations, they notified affected customers of the breach. 

In order to increase pressure and maximise attention, the attackers published what they alleged to be "print-at-home" tickets, which allegedly included tickets associated with Taylor Swift concerts. This was a move that was clearly intended to arouse public interest and exert reputational pressure upon the attackers. In spite of Arkana Security, a relatively new group in the cyber extortion space, later surfacing with claims that it had fresh data from Ticketmaster, forensic analysis quickly uncovered inconsistencies despite the claim. 

In the file names and metadata, Arkana made reference to earlier leaks associated with ShinyHunters, suggesting that they repackaged and attempted to resell previously stolen data under the guise of a new breach, which is a sign that Arkana was trying to resell stolen data. The exact nature of Arkana’s involvement remains unclear. As far as I know, there is no way to tell whether the group acquired the data by purchasing it previously, whether they are acting as intermediaries for ShinyHunters, or if they are acting as part of the original threat operation, using a new alias. 

Whatever the role of the cybercriminals involved in the situation is, they remain a persistent and ever-evolving threat to the cyber community because they constantly recycle stolen information in order to reap the rewards of their efforts. Additionally, this reflects a broader trend where cybercriminals thrive on misinformation, duplication of data, and psychological manipulations aimed at both potential victims as well as buyers. 

In light of the Ticketmaster incident as well as the broader Snowflake-linked cyberattacks, it is imperative that organizations reevaluate their security posture concerning their cloud-based ecosystems and third-party services integrations in light of the Ticketmaster incident. It is important to realise that even industry giants are susceptible to persistent and well-planned cyber attacks, which have been demonstrated by this breach. 

As threat actors become more proficient at repackaging stolen data, leveraging digital supply chains to intensify extortion, and utilising misinformation to intensify extortion, businesses have to go beyond reactive containment as they become more agile. There is no longer a need for optional measures such as continuous credential hygiene, endpoint hardening, zero-trust architectures, and transparent vendor risk management; they have now become fundamental to security. 

Additionally, all companies must have a strategy in place to respond to cyber crises that ensures clear communication with stakeholders, timely disclosure of incidents, and legal preparedness. It's no secret that cybersecurity is changing very quickly. Only organisations that treat cybersecurity as a dynamic, business-critical function - and not as a checkbox - will be able to withstand attacks in the future.

Inside the Ticketmaster Hack: 440,000 Taylor Swift Fans at Risk

Inside the Ticketmaster Hack: 440,000 Taylor Swift Fans at Risk

In May, the hacking group ShinyHunters claimed to have gotten personal information from more than 500 million Ticketmaster users and was selling the data on the dark web, and the business has now admitted that consumer data may have been "exposed." 

The breach, initially believed to be limited in scope, has now escalated, affecting millions of ticket holders, including fans attending Taylor Swift’s Eras Tour. Let’s delve into the details of this high-stakes cybercrime.

Ticketmaster Data Breach: What You Need to Know

In an email sent to affected customers, Ticketmaster said that they had discovered "unauthorised activity" in a third-party cloud database, and that personal data of "some customers" who purchased tickets to events in North America (the United States, Canada, and/or Mexico) could have been compromised.

Ticketmaster confirmed that unauthorized access occurred, leading to the compromise of sensitive customer data. The hackers gained access to 193 million ticket barcodes, valued at an astonishing $22.6 billion. Among these, 440,000 tickets belong to Taylor Swift’s ongoing tour, leaving fans anxious and concerned.

The Ransom Demand

ShinyHunters, known for their audacity, demanded an $8 million ransom for the safe return of the stolen data. The group threatened to leak the ticket barcodes if their demands were not met promptly. Ticketmaster faced a dilemma: pay the ransom or risk exposing millions of customers’ personal information.

The American Ticket Sales and Distribution Company shared, "Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied. This is just one of many fraud protections we implement to keep tickets safe and secure."

"Some outlets are inaccurately reporting about a ransom offer. We were never engaged for a ransom and did not offer them money," Ticketmaster confirmed. 

Potential Implications

1. Privacy Concerns

Customers trust platforms like Ticketmaster with their personal details, including names, addresses, and payment information. The breach jeopardizes this trust and raises questions about data security practices within the industry.

2. Financial Impact

Ticketmaster faces a double bind: pay the ransom and potentially encourage further attacks, or refuse and risk public outrage. The financial implications extend beyond the ransom amount. Legal fees, compensation to affected customers, and damage control efforts will strain the company’s resources.

3. Reputation Damage

Ticketmaster’s reputation hangs in the balance. Swift action is crucial to mitigate reputational harm. Customers may think twice before purchasing tickets through the platform, affecting future sales and partnerships.

Some Key Takeaways

  • Third-Party Risk: Organizations must carefully assess the security practices of third-party vendors who handle sensitive data.
  • Encryption Matters: While Ticketmaster’s payment card information was encrypted, it’s crucial to ensure strong encryption methods are in place.
  • Prompt Communication: Ticketmaster’s quick response in notifying affected customers demonstrates the value of timely communication during a breach.

Hackers Exploit Snowflake Data, Targeting Major Firms

 

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they gained access to some Snowflake accounts by breaching a Belarusian-founded contractor working with those customers. Approximately 165 customer accounts were potentially affected in this hacking campaign targeting Snowflake’s clients, with a few identified so far. 

It was a Snowflake account, with stolen data including bank details for 30 million customers and other sensitive information. Lending Tree and Advance Auto Parts might also be victims. Snowflake has not detailed how the hackers accessed the accounts, only noting that its network was not directly breached. Google-owned security firm Mandiant, involved in investigating the breaches, revealed that hackers sometimes gained access through third-party contractors but did not name these contractors or explain how this facilitated the breaches. 

A hacker from the group ShinyHunters said they used data from an EPAM Systems employee to access some Snowflake accounts. EPAM, a software engineering firm founded by Belarus-born Arkadiy Dobkin, denies involvement, suggesting the hacker’s claims were fabricated. ShinyHunters has been active since 2020, responsible for multiple data breaches involving the theft and sale of large data troves. EPAM assists customers with using Snowflake's data analytics tools. The hacker said an EPAM employee’s computer in Ukraine was infected with info-stealer malware, allowing them to install a remote-access Trojan and access the employee’s system. 

They found unencrypted usernames and passwords stored in a project management tool called Jira, which were used to access and manage Snowflake accounts, including Ticketmaster’s. The lack of multifactor authentication (MFA) on these accounts facilitated the breaches. Although EPAM denies involvement, hackers did steal data from Snowflake accounts, including Ticketmaster's, and demanded large sums to destroy the data or threatened to sell it. The hacker claimed they directly accessed some Snowflake accounts using the stolen credentials from EPAM’s employee. The incident underscores the growing security risks from third-party contractors and the importance of advanced security measures like MFA. 

Mandiant noted that many credentials used in the breaches were harvested by infostealer malware from previous cyber incidents. Snowflake’s CISO, Brad Jones, acknowledged the breaches were enabled by the lack of MFA and mentioned plans to mandate MFA for Snowflake accounts. This incident highlights the need for robust cybersecurity practices and vigilance, particularly when dealing with third-party contractors, to safeguard sensitive data and prevent similar breaches in the future.

Ticketmaster and Santander Breaches Expose Cloud Security Flaws


Recent data breaches at Ticketmaster and Santander Bank have exposed major security vulnerabilities in the use of third-party cloud storage services. These breaches highlight the urgent need for robust security measures as more organisations move their data to the cloud.

On May 20, Ticketmaster experienced a data breach involving a third-party cloud storage provider. The breach, disclosed in a regulatory filing by its parent company Live Nation Entertainment, compromised the data of approximately 550 million customers. This stolen data, including sensitive personal information, was reportedly put up for sale on a Dark Web forum by a group known as "ShinyHunters."

Just a week earlier, on May 14, Santander Bank revealed a similar breach. Unauthorised access to a cloud-hosted database exposed data belonging to customers and employees, primarily affecting those in Spain, Chile, and Uruguay. ShinyHunters also claimed responsibility for this breach, offering the stolen data—which includes 30 million customer records, 28 million credit card numbers, and other sensitive information—for sale at $2 million.

Both breaches have been linked to Snowflake, a renowned cloud storage provider serving numerous high-profile clients like MasterCard, Disney, and JetBlue. Although Snowflake acknowledged recent malicious activities targeting its customers, an investigation by Mandiant and CrowdStrike found no evidence of a vulnerability or breach within Snowflake’s own platform. The attackers apparently exploited single-factor authentication credentials obtained through infostealer malware, highlighting the importance of robust authentication measures.

David Bradbury, Chief Security Officer at Okta, stressed the importance of implementing multi factor authentication (MFA) and network IP restrictions for securing SaaS applications. However, he pointed out that attackers are increasingly bypassing MFA by targeting post-authentication processes, such as stealing session tokens. This highlights the need for additional security mechanisms like session token binding.

Michael Lyborg, CISO at Swimlane, emphasised the shared responsibility model in cloud security. While cloud providers like Snowflake offer best practices and security guidelines, it is ultimately up to customers to follow these protocols to protect their data. Lyborg suggested that enforcing MFA and adopting a zero-trust security model by default could enhance data protection by a notable measure.


Challenges in Enforcing Security Standards

Patrick Tiquet, VP of Security and Architecture at Keeper Security, argued that while uniform security measures might enhance protection, they could also limit the flexibility and customization that customers seek from cloud services. He noted that some organizations might have their own robust security protocols tailored to their specific needs. However, the recent breaches at Ticketmaster and Santander highlight the dangers of relying solely on internal security measures without adhering to industry best practices.

The breaches at Ticketmaster and Santander serve as critical reminders of the risks associated with inadequate cloud security measures. As organisations increasingly transition to cloud-based operations, both cloud providers and their customers must prioritise robust security strategies. This includes implementing strong authentication protocols, adhering to best practices, and fostering a culture of security awareness. Ensuring comprehensive protection against cyber threats is essential to safeguarding sensitive data in the digital age.


Ticketmaster Data Breach Affects Over 500 Million Customers


 


We are all music fans at heart, and recently the most eye-catching tour is the three-hour Taylor Swift concert. The platform that sells tickets for these in-demand tours, Ticketmaster, has taken a hit. In a substantial blow to one of the world’s largest ticketing services, Ticketmaster has reportedly suffered a massive data breach impacting over half a billion customers. According to Mashable, the hacker group known as ShinyHunters claims responsibility for stealing customer data from nearly 560 million users. Although Ticketmaster has yet to confirm the breach, ShinyHunters has a history of high-profile hacks and is now selling the stolen data on a popular hacking forum for $500,000.


Details of the Stolen Data

ShinyHunters alleges they have obtained a substantial 1.3 terabytes of data, including sensitive information such as full names, addresses, and phone numbers. Additionally, the breach encompasses detailed order histories, which reveal ticket purchase details and event information. Alarmingly, partial payment information, including names, the last four digits, and expiration dates of credit cards, is also among the compromised data.


While waiting for Ticketmaster's official response, it is crucial for affected customers to take proactive steps to protect themselves. The stolen data could be used for targeted phishing attacks, making it essential to remain vigilant when checking emails, messages, or mail. Cybercriminals may impersonate reputable companies to trick individuals into revealing passwords or financial information.


To mitigate risks, users should avoid clicking on links or downloading attachments from unknown senders and always verify the legitimacy of the sender’s email address. Implementing robust cybersecurity measures, such as using the best antivirus software for PCs, Macs, and Android devices, can provide additional protection against potential malware infections.


Steps to Take Following a Data Breach

In the wake of a data breach, companies typically offer guidance and access to identity theft protection services. However, Ticketmaster has not yet confirmed the breach or announced any support for affected customers. Until more information is available, individuals should monitor their accounts for suspicious activity and consider changing passwords for any online accounts associated with the compromised email addresses.


Given ShinyHunters' notorious track record, including the 2021 leak of 70 million AT&T subscribers’ information, the claims warrant serious attention.


This incident surfaces the importance of cybersecurity and the potential vulnerabilities even large companies face. As the situation develops, staying informed and cautious will be key for those potentially affected by this breach. We will continue to provide updates as more information becomes available from Ticketmaster and other reliable sources.



Ticketmaster Fined $10 Million by Department of Justice for Unlawful Business

Ticketmaster had to pay €7.3 Million ($10M) fine compensation for intervening in a rival company's computer systems, says the US Department of Justice. Ticketmaster agreed to pay a fine amount after it faced allegations by the US DoJ that the company gained unlawful access into rival company's systems to obtain information about its business. According to DoJ, the US ticket sales and distribution company illegally used retained passwords of a former employee of a rival company to access their computer systems. Ticketmaster had done this as a scheme to wipe out the competitor's business. Responding to the action, Ticketmaster has said that it feels good now that the issue is resolved.


The DoJ in the released statement said that the unlawful activity happened in 2017. The scheme involved 2 company employees, both now dismissed. According to Ticketmaster, the employees' actions violated their company policies and conflicted with their organizational values. Federal officers alleged Ticketmaster of computer intrusion, wire fraud, and other illegal activities dating back to 2013. The federals have agreed to remove charges in 3 years if the company doesn't make any trouble as per the federal prosecution deal. The inquiry emphasized the company's (Ticketmaster) attempts to obtain information, specifically related to concert pre-sale tickets, says the court statements. 

The rival is a UK based company with headquarters in Brooklyn, New York, but the information in legal documents suggest it was Songkick. Songkick holds expertise in offerings performance artists digital widgets called "artist's toolbox," which allowed Songkick to pre-sell tickets to their events on its online websites separately from ticket blocks which were available to Ticketmaster, a company owned by Live Nation Entertainment Inc. 

Live Nation and Ticketmaster unlawfully took a former worker rival company to get details about its business operations, client details, and marketing plans. The employee gave Ticketmaster the login credentials of his former company, which Ticketmaster used several times to gain access to computer systems and get information about Songkick's pricing to develop their own competing platform. 

Bloomberg reports, "songkick sued Live Nation and Ticketmaster in Los Angeles federal court and reached a $110 million settlement in 2018 that included the sale of its ticketing assets to Live Nation. Other Songkick assets had been sold earlier to Warner Music Group."