560 million Ticketmaster customers have had personal information and possibly payment card data exposed as part of a 1.3 TB theft by the ShinyHunters hacking group. The data breach appeared on the underground hacking forum BreachForums, which ShinyHunters is a partial owner of, and was put up for ransom for half a million dollars.
Ticketmaster has not yet acknowledged the data breach, but ShinyHunters has posted information that some security researchers believe to be legitimate. Impacted Ticketmaster customers can expect their contact information and order histories to be exposed at minimum, and may have also had the last four numbers and expiration dates of their payment cards taken by the intruders.
Outcome for Ticketmaster customers in doubt as ransom demand hangs over company
As of this writing, ShinyHunters is still actively attempting to extort the company into paying a ransom. Such a payment could at least delay the damage for Ticketmaster customers, though other major hacking groups have been caught holding on to stolen data that they promised to release.
The data breach is being held hostage for a relatively modest price given the number of records, likely due to the fact that no “hard” personal identifiers that are key to fraud (such as Social Security numbers) and only partial payment card numbers are included. Still, the cache would be a windfall for targeted phishing scammers should it be released to the public via the dark web.
It is still not clear how the data breach occurred, and likely will not be until Ticketmaster formally acknowledges it. Breaches this large generally trip automated alarms as it is very difficult to quietly extract hundreds of millions of records with any sort of speed.
Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ, expands on the known capability of the hackers: “ShinyHunters are well versed in the art of data breaches. They are known for gaining access via Microsoft Office 365, GitHub, obtaining access to valid accounts, as well as exploiting vulnerabilities. It’s important to test for post-compromise techniques that are precursory to targeting critical business applications such as databases or other systems containing sensitive information. These are often the end goal of groups such as ShinyHunters, who aim to monetize on the stolen data from their targets.”
Data breach adds to negative public sentiment against Ticketmaster
Ticketmaster now has a long history of riling its customers, but things have moved beyond angering Taylor Swift concert-goers to a Department of Justice investigation of parent company LiveNation for holding a monopoly over live event tickets. That suit was just filed last week.
Ticketmaster customers have endured bots finding ever-more-creative ways to poach tickets to high demand events, hacking into its competitors systems to obtain confidential information (in a 2021 data breach involving rival Songkick), “service fees” that never seem to stop climbing, striking deals with resellers to directly provide them with tickets before they hit the open market, and its introduction of a “dynamic pricing” model in 2022. But they have also endured prior data breaches. The company’s UK branch was caught up in the Magecart hacking spree in 2018, causing over 40,000 records of personal data to be exposed.
Breachforums is run in part by ShinyHunters, and one of its other administrators (who has also been personally involved in numerous high-profile data breaches) was recently arrested amidst a raid of the board’s assets. The board was quickly able to reform elsewhere, as it has following several previous raids, but the data stolen from the Ticketmaster customers may be an attempt to reassure users that things are safe and business as usual continues. The DOJ said that it captured extensive back end data during the most recent raid, which could mean a trail to identification of some of its users.
Ticketmaster customers have the silver lining of not having full payment card information exposed in the data breach, but will likely be dealing with knock-on effects from it for some time. In addition to more carefully screening incoming emails and messages, victims may want to look into added protection against SIM swap attacks involving any phone numbers they had listed with the service. Some service providers offer the ability to set a PIN for account verification before any major changes of this nature are made, but this option is also usually not presented by default and has to be proactively enabled.
It is still unclear if impacted Ticketmaster customers will be offered free credit monitoring; the company will first have to acknowledge the data breach. There is some division among security researchers about how legitimate the breach is, however. That the breach took place does not seem to be in question, but there is some question as to whether the 560 million record number has been inflated as a means of drawing publicity for the struggling forum. However, at least one reputable source (vx-underground on X) claims to have spoken with anonymous insiders at Ticketmaster and has verified that the breach is extensive and originated with an attack on a managed service provider (MSP) sometime in April that provided downstream access to Ticketmaster customers. ShinyHunters has done this dance with major corporations before, breaching AT&T for 70 million customer records in 2021 and repeatedly threatening the company as it denied the incident had occurred. Those records did not surface on the dark web until earlier this year.
Toby Lewis, Global Head of Threat Analysis at Darktrace, thus urges caution in response: “This alleged attack on Ticketmaster is an unpleasant reminder that no organization is immune from cyber threats. However, it’s crucial to approach this incident with scepticism until more information is available, as the timing of the data being offered on the relaunched BreachForums site raises questions about its authenticity. If confirmed, Ticketmaster must be transparent about the accessed data. Customers can protect themselves by changing passwords and monitoring their accounts, although this may be fruitless if the attackers still have access or if there is no breach in the first place. It’s advisable to wait for confirmation and follow instructions from Ticketmaster’s incident response teams. While there’s no harm in proactively changing passwords (including on accounts with re-used passwords), customers should be prepared to do it again if necessary. Cybersecurity should be at the forefront of businesses’ technology strategy. AI tools can automate prevention and response protocols, enabling proactive defence. Until more details emerge, customers should remain vigilant but avoid jumping to conclusions about the scale or impact of this alleged breach.”
Darren Williams, CEO and Founder, BlackFog, believes that no one should assume the breach is not legitimate or that most of Ticketmaster’s customer database is not impacted: “The breach of TicketMaster shows us how large-scale these operations can be. Now that the data has been exfiltrated from TicketMaster, the threat group can continuously target the individuals through social engineering and phishing attempts. Large entities, especially those such as TicketMaster, must invest in anti data exfiltration technology to ensure no data is leaving their system without proper authorization.”
Narayana Pappu, CEO at Zendata, notes that this case will also likely be of interest to investors: “Potentially affected Ticketmaster customers should closely monitor their email for any new account creations and credit/debit cards for transactions. I also recommend that they create a pin with their cell phone providers to protect against SIM swaps. Ticketmaster has a significant market share of the ticket sale market, and incidents like this can have significant long-term impact. In the past, breaches have led to companies losing market share to key competitors. The Ashley Madison and Equifax breaches are a couple of examples.”