Some music fans look forward to the summer concert season all year, but a recent Ticketmaster hack threatens to disrupt their plans. The ticket giant, which has a virtual monopoly on concert tickets for major shows in the United States and certain other countries, has had at least 39,000 print-at-home tickets for upcoming shows leaked to the dark web by ransom-seeking hackers who say they have more in hand.
The concert tickets that have been leaked thus far are for major acts that have shows scheduled in the coming weeks. About 166,000 ticket barcodes for the world’s biggest musical act of them all, Taylor Swift, were leaked a week prior by the same threat actors. The Ticketmaster hack was perpetrated by a group calling itself “Sp1derHunters,” who have since leaked print-at-home tickets to shows from acts such as Bruce Springsteen, Red Hot Chili Peppers, Alanis Morissette and Aerosmith’s farewell tour.
Total damage from Ticketmaster hack remains unclear
For its part, Ticketmaster has acknowledged the breach but claims it is not a big deal as its “SafeTix” technology regularly refreshes the barcode on its mobile app concert tickets. However, the hackers point out that this does not address the print-at-home tickets that they stole which are available to customers by physical mail and the TicketFast option that emails a printable PDF to the buyer. The CSV file posted by the hackers to an underground hacking forum shows them as having at least 38,745 of these TicketFast tickets.
The Ticketmaster hack impacts about 150 upcoming events involving numerous popular musical acts as well as Cirque du Soleil. Sp1d3rHunters first appeared with stolen concert tickets on July 4, claiming the theft of assorted tickets to Taylor Swift Eras Tour shows scheduled for October and November in Miami, New Orleans and Indianapolis. The hackers also included a link to a YouTube tutorial demonstrating how to make a printable barcode ticket in Excel. At that time the hackers claimed to have 30 million more concert tickets in reserve as well as the account information of 680 million Ticketmaster customers, and demanded a ransom of $2 million to prevent a public data leak of the whole trove.
Following that post, Ticketmaster told media sources that it was not engaged in negotiations with the hackers (who had claimed that Ticketmaster offered them $1 million). The new post appears to be intended to step up the pressure and counter Ticketmaster’s claims that the SafeTix technology can fully protect impacted customers. The hackers say that Ticketmaster will have to void and reissue any stolen print-at-home concert tickets, something likely to be a massive expense and PR disaster for the company if true.
Some of the leaked concert tickets are for shows listed as early as July 8, meaning that unaware customers that have not seen the news of the Ticketmaster hack may already be running into difficulties upon showing up at venues. Though there is not yet any indication that login information has been exposed, all Ticketmaster customers are being advised to change their account password as a precaution as the full details of the breach remain unclear.
Theft of concert tickets may be connected to prior breaches involving ShinyHunters and Snowflake
In the meantime, the infamous group ShinyHunters has also jumped in to demand an $8 million ransom from Ticketmaster. ShinyHunters has been tormenting Ticketmaster since May, when it appeared to acquire internal data from its breach of cloud storage firm Snowflake. On a since-removed post that appeared on BreachForum, ShinyHunters claimed to be sitting on a massive trove of stolen information that goes far beyond concert tickets: 400 million encrypted credit card numbers (with partial information exposed), 980 million sales orders, 560 million Address Verification System records, and 440 million email addresses among other items.
Potentially all of the Ticketmaster hack threads trace back to the Snowflake breach, which took place in April and is thought to have impacted at least 165 organizations. Snowflake is popular as a storage solution with large-scale enterprises and the breach has led to prior extortion attempts on Neiman Marcus, Advance Auto Parts and the Los Angeles Unified School District among others.
It is still unclear if the Snowflake breach is directly connected to the current Ticketmaster hack, but the timing is highly coincidental, and there may be direct connections between ShinyHunters and Sp1d3rHunters as well. There is some speculation among security researchers that Sp1d3rHunters may be a sock puppet that ShinyHunters uses to advertise breaches and data for sale on forums other than BreachForum, which it is an operator of. During its May announcements of its breach of Ticketmaster, ShinyHunters claimed that it had taken 560 million tickets from its compromised Snowflake account.
Toby Lewis, Global Head of Threat Analysis at Darktrace, notes that the possibility of immediate monetization of the printable concert tickets makes the Ticketmaster hack a unique situation: “The ongoing Ticketmaster extortion campaign, now claiming to leak over 30,000 print-at-home tickets, highlights a critical cybersecurity issue. Unlike typical data breaches, stolen ticket barcodes are immediately monetizable and could cause significant disruption at events if duplicates are used. This breach poses a unique challenge for Ticketmaster. While they claim they can easily revoke digital tickets without most users noticing, the situation with printed barcodes is far more complex. If the attackers indeed have access to physical ticket data as claimed, any attempts to address this will be highly visible to end-users and potentially disruptive to events. Customers should follow Ticketmaster’s official instructions, change passwords, and stay alert for any communications about ticket validity. Ticket holders may face additional verification measures at events. This incident underscores the need for robust cybersecurity strategies, especially for businesses handling instantly valuable data. It demonstrates how cyber attacks can have immediate, real-world consequences beyond data privacy concerns.”
