Live Nation Entertainment, Inc. has confirmed a data breach affecting its subsidiary, Ticketmaster LLC, due to unauthorised access to a third-party cloud database believed to be hosted by Snowflake. The breach was identified on May 20, 2024, prompting an investigation involving top forensic experts to determine the scope and impact.
On May 27, 2024, a criminal entity attempted to sell what it claimed to be Ticketmaster user data on the dark web. Live Nation is actively working to mitigate risks, cooperating with law enforcement, and notifying regulatory authorities and affected users about the unauthorised access to personal information.
The breach allegedly impacts over 560 million Ticketmaster users, with stolen databases reportedly containing 1.3TB of sensitive data, including names, addresses, email addresses, phone numbers, ticket sales, orders, and event information. Despite the breach's scale, Live Nation does not anticipate a material impact on its business operations or financial condition.
A hacker group known as Shiny Hunters has been attempting to sell the Ticketmaster data for $500,000 on a hacking forum. The threat actor claims to have used stolen credentials, obtained via information-stealing malware, to breach a Snowflake employee’s ServiceNow account, enabling them to exfiltrate data.
The hacker also claims responsibility for breaches at other companies, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts. However, Progressive and Mitsubishi have disputed these claims, stating no evidence of a breach in their systems.
Snowflake has attributed the breaches to poorly secured customer accounts lacking multi-factor authentication. The company noted that attacks began in mid-April, with the first data theft occurring on May 23. Snowflake has issued Indicators of Compromise (IOCs) for customers to check their logs for potential breaches.
Mandiant Consulting CTO Charles Carmakal confirmed that Mandiant has been investigating compromised Snowflake clients, identifying breaches involving stolen credentials.
This situation is still evolving, and further updates will be provided as new information becomes available.
