Ticketmaster confirms data breach with a SEC filing Ticketmaster confirms data breach with a SEC filing
Photo: Ticketmaster

Ticketmaster confirms data breach with a SEC filing

Access was gained through a third-party cloud database provider, which we know to be Snowflake.

Live Nation Entertainment, also known as Ticketmaster, has submitted an official Form 8-K with the U.S. Securities and Exchange Commission (SEC), acknowledging and confirming that the recently rumored data breach is real.

In the filing (which can be seen here), Ticketmaster says that on May 20, 2024, Live Nation Entertainment, Inc. discovered unauthorized activity within a third-party cloud database environment that contained company data, primarily from its Ticketmaster L.L.C. subsidiary. The company immediately launched an investigation with the help of leading forensic experts to understand the extent and nature of the breach.

On May 27, 2024, a criminal actor claimed to have company user data for sale on the dark web. Live Nation is actively working to mitigate the risk to its users and the company. They have notified and are cooperating with law enforcement agencies. Additionally, they are informing regulatory authorities and affected users about unauthorized access to personal information.

The company says they continue to assess the risks and are working on remediation efforts.

What happened? A timeline.

Starting May 29th, when a group called ShinyHunters published the initial data for sale on dark web forums, numerous key events were associated with this breach. As such, here is a complete timeline of the events as they happened:

  • May 27, 2024 — A dark web user with no previous breach reputation published a forum post saying they have 560 million Ticketmaster user data for sale: name, address, email, phone numbers, order details, etc.
  • May 29, 2024 — The dark web threat group ShinyHunters reposted the sale of this data themselves on BreachForums, which gave this story immediate credibility. ShinyHunters has a history of high-level data breaches. Following this, major news media immediately picked up the story and began publishing articles saying Ticketmaster had been hacked.
  • May 30, 2024 — A reputable cybersecurity group called vx-underground was given sample data from the Ticketmaster breach. They said, “Based on data provided to us by the Threat Group responsible for the compromise, we can assert with a high degree of confidence that the data is legitimate.”
  • May 31, 2024 — The BBC published a news article saying that Santander, a major financial organization, had been breached, and all customer data was offered for sale: the price was $2 million. At the time, there was no connection between this story and Ticketmaster’s. Until…
  • May 31, 2024 — The security research group at Hudson Rock publishes a story (✤) about a conversation with the threat actor responsible for the Ticketmaster and Santander breaches. According to the perpetrator, these breaches were made possible by breaching Snowflake, a cloud provider of data solutions. Both Santander and Live Nation are Snowflake customers.
  • May 31, 2024 — Snowflake published a security bulletin acknowledging the breach. They don’t acknowledge the exact method of breach implied by the perpetrator, but they don’t deny it either. What matters here is that there is a connection with everything that happened before.
  • May 31, 2024 — The Securities and Exchange Commission (SEC) publishes the Live Nation filing disclosing the Ticketmaster breach. Details are very sparse at this time, and we should expect more updates in the coming days or weeks.

According to the Hudson Rock story with the perpetrator, he had initially wanted to get $20 million from Snowflake to never publish the data, neither from Ticketmaster or Santander nor the other 400 companies he alleges he had access to.

To put it bluntly, a single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting 400 companies are impacted. The goal of the threat actor, as in most cases, was to blackmail Snowflake into buying their own data back for $20,000,000.

Hudson Rock

It’s important to note that the language used by all the parties involved in this situation has been extremely obscure. For example, at the time of this publication, Snowflake has not explicitly stated that the threat actor did not gain access to extremely sensitive data. Snowflake has also declined to comment on the situation when asked about it.

Likewise, at the time of this publication, Ticketmaster has not yet begun notifying its users of the data breach. The entire timeline suggests that this could potentially be the largest data breach ever (all things considered), yet there is very little direct confirmation outside of Live Nation’s SEC filing.

UPDATE 6/2/2024 10:31 GMT: Please see the post below for an update from Snowflake, in which they deny their systems were breached and it is their customers themselves who “failed to follow best security practices”.

✤: Stack Diary is aware that Hudson Rock has removed its blog post showcasing the perpetrator’s conversation. This was likely done because Hudson Rock unknowingly/knowingly doxxed (revealed personal details) an employee whose account was breached at Snowflake. We’ve reached out for comment.