Ticketmaster confirms significant data breach

You are not logged in and only seeing 7 days of articles. Please sign up or login to view more

On Friday, Ticketmaster owner Live Nation confirmed "unauthorised activity" on its database on the 20th May resulted in the personal details of an estimated 560m customers being stolen by hackers. What is not clear is how the breach occurred, with a series of different reports and retractions in the past few days.

Initially it was reported by cybercrime intelligence firm HudsonRock, that the breach was a result of data stolen from a third-party cloud database provider, believed to be Snowflake. It was believed the hacker broke into an employee account at Snowflake, using stolen credentials to bypass Okta’s secure authentication system and access a ServiceNow account. That report has however since been retracted without comment.

In a statement over the weekend Snowflake CISO Brad Jones, backed by CrowdStrike and Mandiant, pushed back on claims that major data breaches involving Ticketmaster, and another at Santander (who also confirmed data from an estimated 30m customers was stolen), was caused by a vulnerability or misconfiguration in Snowflake’s platform. Snowflake did admit that it found evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee, but that did not contain sensitive information.

According to Bleeping Computer, a threat actor known as Shiny Hunters has been attempting to sell the Ticketmaster data on a hacking forum for $500k. The allegedly stolen databases supposedly contain 1.3TB of data, including customers' full details (i.e., names, home and email addresses, and phone numbers), as well as ticket sales, order, and event information for 560 million customers.

So, who is at fault, and is the reported size of the breach credible? Well, that is hard to say at this stage, if the Ticketmaster data being sold by Shiny Hunters is accurate, then more than access to a demo account was the cause, and clearly once again some significant basic security protocols have been lax by either Ticketmaster, and/or one of its cloud or managed services providers. Snowflake has been very evasive about its role, but multiple sources have highlighted increased recent attacks on Snowflake instances and this may just be the beginning of more to come if that is the case.  

Posted by: Simon Baxter at 09:50