Entertainment conglomerate Live Nation confirmed that it is dealing with a data breach in documents filed with regulators late on Friday afternoon.
In an 8-K filing, Live Nation said it discovered “unauthorized activity” on May 20 in an unnamed third-party cloud database that contained information primarily from Ticketmaster — one of the company’s largest subsidiaries.
An investigation was launched and by May 27, hackers began selling the stolen data on the dark web, according to Live Nation.
The filing is referencing a cybercriminal forum post where a notorious group of hackers named ShinyHunters claimed to have a 1.3 terabyte database of information on about 560 million Ticketmaster users that included names, addresses, emails and phone numbers as well as event details and information on specific orders.
The database allegedly includes credit card details — names, expiration dates and the last four digits of card numbers. ShinyHunters is offering the database for $500,000.
Live Nation said it is currently “working to mitigate risk” to its users and has notified law enforcement about the incident.
“As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information,” the company said, adding that it does not believe the incident will have a “material impact” on the company’s business operations or financial standing.
Ticketmaster did not respond to requests for comment about the incident. TechCrunch and several other researchers confirmed that at least some of the data included in the ShinyHunters database is legitimate and tied to real people. The most recent data in the batch is from March 2024, according to one sample.
Snowflake weighs in
Ticketmaster confirmed to TechCrunch on Friday that the data leaked was from a database hosted on Snowflake — one of the largest cloud storage companies.
In multiple statements since Thursday, Snowflake confirmed that some of its customers have been under attack by threat actors. The company hired CrowdStrike and Mandiant to conduct an investigation and on Sunday said the attacks appear to be a targeted campaign “directed at users with single-factor authentication.”
“As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware,” Snowflake officials Brad Jones said, denying that there was any vulnerability or issue with the company’s products.
“Throughout the course of the investigation, Snowflake has promptly informed the limited number of Snowflake customers who it believes may have been affected. Mandiant has also engaged in outreach to potentially affected organizations.”
Mandiant CTO Charles Carmakal confirmed to BleepingComputer that it was working with several Snowflake customers dealing with breaches and said the source is likely stolen credentials used to access specific databases. Members of ShinyHunters also spoke the same publication and claimed they had several buyers for the stolen information — including Ticketmaster itself.
Matt Hull, global head of threat intelligence at cybersecurity company NCC Group, said ShinyHunters specializes in selling sensitive information and has been active since around 2020.
Despite being relatively new, they are associated with some notable hacks including one involving AT&T.
“The group often initiates their campaigns through harvesting legitimate credentials from victims,” Hull said. “This is done either through the use of phishing campaigns, through purchasing previously-leaked credentials on the dark web, or through getting lucky with previously-leaked credentials floating about on the open web – a reminder of the importance of regularly changing your passwords.”
One alleged member of the group, a 21-year-old French national, was extradited from Morocco to the U.S. for his role and sentenced to three years in federal prison this year. The group also had a run-in with the FBI after law enforcement agencies took down cybercriminal forum Breach Forums, where ShinyHunters operates as an administrator, Hull explained.
The group claimed it also attacked Santander Bank — which released a statement about its own breach in recent days.
The incident comes as Ticketmaster faces increased scrutiny from federal investigators over its business practices and its inability to stop bot farms that buy tickets almost instantaneously and allow people to upsell them.
Cequence Security’s Jason Kent warned that anyone with a Ticketmaster account should worry about the email address and password combination used on the site. All emails from Ticketmaster should be avoided for a bit, he added, noting that any links in emails from the company should be checked before clicking.
Recorded Future
Intelligence Cloud.