Last week, the hack-and-leak ring known as ShinyHunters put what it alleged to be data on more than a half-billion Ticketmaster customers up for sale on the BreachForums underground market. After days of reports and speculation from media about the validity of the claim, Ticketmaster parent Live Nation has now acknowledged that the breach was real. However, it has confirmed few other details.
Last Friday, Live Nation filed a data breach disclosure notice with the US Securities and Exchange Commission (SEC), noting that there was “unauthorized activity within a third-party cloud database environment containing company data” on May 20, and that “a criminal threat actor offered what it alleged to be company user data for sale via the Dark Web” on May 27.
However, the events giant didn’t confirm the mind-boggling number of records (560 million) that ShinyHunters claimed to have, nor did it reveal details on what type of data the heist contains. In the BreachForums listing, the threat actors professed to have personally identifiable information (PII) such as names, emails, addresses, and partial payment card details.
Nonetheless, the SEC filing appears to be voluntary, and notes that LiveNation doesn’t expect the breach to be “material,” i.e. impactful to its financial profile going forward. That suggests that it expects little fallout from the incident, and belies the claims in the underground listings.
Ticketmaster did not return a request for comment from Dark Reading.
Third-Party Cloud Database Security Lacking
As for the third-party cloud database involved, members of the threat intelligence community in emails to Dark Reading have identified it to be Snowflake, which issued its own statement acknowledging that there has been cyberactivity directed towards some of its customers, which include Ticketmaster. But, the posting on its community forum didn’t name names as to which customers are affected, and the company didn’t immediately respond to a request for comment.
Snowflake did note that the attacks succeeded due to poor customer configuration: “This appears to be a targeted campaign directed at users with single-factor authentication; as part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware.”
Overall, there’s little confirmation when it comes to the exact details of the breach, who’s affected and how, and the contours of the incident regarding Snowflake and which of its customers might be affected. Beyond Ticketmaster, high-profile Snowflake accounts include AT&T, jetBlue, Mastercard, and Santander, which recently reported its own data breach involving an unnamed third-party provider (it has not confirmed that Snowflake was the affected account).
To boot, Matt Hull, global head of threat intelligence at NCC Group, said that it’s even unclear what role ShinyHunters is playing.
“A post on a Russian cybercriminal forum was made more than a day before ShinyHunters’ post on BreachForums concerning the sale of Ticketmaster/Live Nation data,” he said in an emailed statement. “The notable difference between the two listings is that the post on the Russian forum requires a guarantor, whereas ShinyHunters’ post on Breach Forums does not. It is possible that ShinyHunters are acting as a proxy/middleman for the sale of data for the original attackers.”
It’s unclear when additional details might emerge on the breach, but for now, Live Nation delivered boilerplate language in its SEC filing: “We are working to mitigate risk to our users and the company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.”
Leave a Reply