Entertainment giant Ticketmaster acknowledges cybersecurity incident

Live Nation Entertainment, the parent company of global entertainment company Ticketmaster, acknowledged late Friday a cybersecurity incident roughly five days after a hacker advertised a massive tranche of company data for sale for $500,000.

The company “identified unauthorized activity within a third-party cloud database environment containing Company data” on May 20, according to a Securities and Exchange Commission filing. 

“We are working to mitigate the risk to our users and the Company, and have notified and are cooperating with law enforcement,” the filing stated.

Ticketmaster has not responded to multiple requests for comment from CyberScoop over the past week about the incident.

The claim that Ticketmaster had been breached first surfaced on May 28, when a persona known as “ShinyHunters” advertised the data for sale for $500,000. VX-Underground, an online repository for malware research, said Thursday that it had spoken with “multiple individuals” who claimed to be involved in the Ticketmaster breach and that they accessed the company’s data through a managed service provider.

ShinyHunters did not respond to questions about VX-Underground’s statement.

Though the authenticity of the stolen data has not been confirmed, cybersecurity researchers say privately that they believe at least some of the data being offered for sale appears legitimate. 

The listing and samples of six separate Ticketmaster datasets were posted to BreachForums, a cybercrime forum briefly disrupted last month as part of an FBI-led international law enforcement operation. The disruption was the second time police had taken down the site — but in both instances, site administrators managed to reconstitute the site. It remains operational.

Separately, the hacker claiming to have targeted Ticketmaster is also selling data on customers of the bank Santander. The bank acknowledged last month that data from customers in Chile, Spain and Uruguay, as well as data from “all current and some former Santander employees,” has been stolen. Data on as many as 30 million people could be involved in that attack, the BBC reported Friday.

The breach at Ticketmaster comes on the heels of the Department of Justice and 30 state and district attorneys general filing a civil antitrust lawsuit against Live Nation and Ticketmaster for monopolization and “other unlawful conduct that thwarts competition in markets across the live entertainment industry.” 

The DOJ did not respond to questions about the breach and whether it would affect the antitrust suit against Ticketmaster. 

A spokesperson for the Australian Department of Home Affairs told CyberScoop that the Australian government “is aware of a cyber incident impacting Ticketmaster,” and that the country’s National Office of Cyber Security is “engaging with Ticketmaster to understand the incident.”

The Cybersecurity and Infrastructure Security Agency referred questions to Ticketmaster. The FBI did not respond to a request for comment.

On Friday, the Israeli firm Hudson Rock reported that the breach of Ticketmaster may be linked to breaches at as many as 400 other companies, perpetrated using stolen credentials of an employee at Snowflake, the cloud storage and services company that TechCrunch reported on Friday hosted the stolen database.

On Saturday, Hudson Rock removed from their website the report containing that claim. The company did not immediately respond to questions about why the report was removed. 

In an update shared with customers on the company’s website, Snowflake said it became “aware of potentially unauthorized access to certain customer accounts on May 23, 2024.” A subsequent investigation revealed “increased threat activity beginning mid-April 2024 from a subset of IP addresses and suspicious clients we believe are related to unauthorized access.”

Technical details shared by Snowflake noted that the company does not believe “this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product,” and that it has “promptly informed the limited number of customers who we believe may have been impacted.”

A Snowflake spokesperson referred CyberScoop to the updates posted to the site. The spokesperson declined to respond to claims in the Hudson Rock report. 

In an updated statement issued Friday, Snowflake said that it found evidence that “similar to impacted customer accounts, the threat actor obtained personal credentials to and accessed a demo account owned by a former Snowflake employee.” 

That account did not contain sensitive data, the company said, and demo accounts “are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or [multifactor authentication], unlike Snowflake’s corporate and production system.” 

The statement noted that if a threat actor obtained customer credentials, “they may be able to access the account.” 

Updated May 31, 2024: This article has been updated with information about a LiveNation SEC filing describing a breach of the company and an additional statement from Snowflake. 

Updated, June 1, 2024: This story has been updated to reflect that Hudson Rock pulled down its investigation into claims that Ticketmaster was breached via Snowflake and to reference reporting by TechCrunch that Ticketmaster’s stolen database was hosted on Snowflake.