Ticketmaster Breach Exposes 590M Users as Data Surfaces on BreachForums

• Ticketmaster, which commands 80% of the U.S. ticketing market, was recently breached by an unknown entity.
• Data of 590 million users is put up for sale on the BreachForums marketplace by ShinyHunters.

Ticketmaster has reportedly been subject to a massive data breach. According to a report from HackRead, ShinyHunters has claimed responsibility for breaching the ticket sales and distribution company and stealing the data of 560 million users.

The threat group also claims to have put the data on sale for just $500,000 on BreachForums, a darknet marketplace that recently resurfaced after a global law enforcement operation took down its infrastructure.

The treasure trove of information, measuring 1.3 terabytes, contains sensitive, personally identifiable information, including full names, addresses, email addresses, and phone numbers. Users’ ticket sales and event details, order information, and partial payment card data are also allegedly on sale, alongside payment data, including customer names, the last four digits of card numbers, credit card type, authentication type, expiration dates, and financial transactions.

ShinyHunters’ Post to Sell Ticketmaster Data
Source: Malwarebytes Labs

Ticketmaster customers at risk of phishing

“Such information falling into malicious hands opens the floodgates to potential phishing schemes and identity fraud, posing a grave risk to affected individuals. It is imperative for Ticketmaster users to remain vigilant against any phishing and identity theft attempts,” Nick Tausek, lead security automation architect at Swimlane, told Spiceworks News & Insights over email.

Over half a billion individuals are thus at risk of being targeted in highly convincing phishing scams by the buyer of the breached Ticketmaster. Jason Kent, hacker in residence, Cequence Security, advises victims of the Ticketmaster breach:

“What should you do if you are a Ticketmaster Customer? Be prepared. Whatever email address you use for their service should now be considered suspect. If you are still using that old Yahoo account and thought about switching, now is a good time. Emails from Ticketmaster should be ignored for a bit, don’t click links in those emails you do get from them and verify they are from Ticketmaster before you believe anything. Do independent research for their phone numbers if you have any questions. Anyone paranoid enough should consider their credit card as compromised and begin the process of acquiring a new account. Be ever vigilant with credit monitoring and understand the scammers now have a new wealth of knowledge to use.” – Jason Kent.

See More: Sav-Rx Discloses October 2023 Data Breach After Eight Months, 2.8M Customers Impacted

Who breached Ticketmaster?

Kent continued, “Ticketmaster, like many organizations, ended up with a target on its back and now they are under the scrutiny of a community of data thieves that seem to win at all costs. Though the data hasn’t been verified and Ticketmaster hasn’t come forward with an announcement, they seem to have lost this round with ShinyHunters.”

Online cyber collective vx-underground tweeted that the sample they obtained was “absurdly large and made it difficult to review in-depth” but appears authentic.

Matt Hull, global head of Threat Intelligence at NCC Group, told Spiceworks News & Insights that ShinyHunters is acting as a middleman to sell data for the threat actors that breached Ticketmaster.

“As for ShinyHunters’ involvement with the Ticketmaster breach, the waters are, again, muddy. A post on a Russian cybercriminal forum was made more than a day before ShinyHunters’ post on Breach Forums concerning the sale of Ticketmaster/Live Nation data. The notable difference between the two listings is that the post on the Russian forum requires a guarantor, whereas ShinyHunters’ post on BF does not. It is possible that ShinyHunters is acting as a proxy/middleman for the sale of data for the original attackers.” Hull noted.

vx-underground added that they spoke with multiple individuals with details about the breach and that ShinyHunters weren’t behind the breach itself; they only acted as a proxy.

ShinyHunters’ misadventures

ShinyHunters has previously leaked stolen data from:

• Dating site MeetMindful – 2.28 million users
• AT&T – 70 million subscribers
• Microsoft – Hundreds of gigabytes of source code
• Tokopedia – 90 million
• Unacademy – 10 million users
• Pixlr – 1.9 million

The hacking syndicate has also leaked data from Bonobos.com, Wognai.com, Tesspring.com, Tunedglobal.com, Buyucoin.com, Wappalyzer.com, Chqbook.com, Rooter.io, Dave, Zoosk, Star Tribune newspaper, and Home Chef.

“The group often initiates their campaigns by harvesting legitimate credentials from victims. This is done either through the use of phishing campaigns, through purchasing previously leaked credentials on the dark web, or through getting lucky with previously leaked credentials floating about on the open web – a reminder of the importance of regularly changing your passwords,” Hull continued.

ShinyHunters is also associated with BreachForums as an administrator and was suspected to have been working on something to mark the darknet site’s reemergence. “Within a day of the initial takedown, the clearnet domain [of BreachForums]  had been re-established, though the dark web domain could not be regained from the FBI, and so a new one has been created,” Hull added.

“There is chatter that the ShinyHunters currently operating BreachForums after its reestablishment may not be the same people as before the FBI’s initial seizure, but rather other group members co-opting established usernames.”

See More: Navigating Data Breaches in Healthcare: The Six Layers to Securing Remote Connectivity

Weak cybersecurity continues to be a significant problem

vx-underground were told that the threat group behind the Ticketmaster group could access the company’s AWS instances by pivoting from a Managed Service Provider.

Roy Akerman, CEO & co-founder of Rezonate, told Spiceworks, “We need to face the facts. User identities are the keys to the castle and should be protected as such. According to the 2024 Verizon Data Breach Report, 68% of breaches happen due to human error and 1/3 of breaches happen due to misconfigurations and other issues.”

“In light of this, it is crucial to allocate resources to security solutions that establish a baseline for user behavior within an organization’s network. This approach allows security teams to swiftly detect and address anomalies and respond to potential threats before they escalate into full blown breaches. In today’s landscape, the question is not whether you’ll face a breach, but when.”

Ticketmaster and its parent company, Nation Entertainment, are also subject to a class action lawsuit for its “failure to implement adequate and reasonable cybersecurity procedures and protocols, consistent with the industry standard, necessary to protect Private Information from the foreseeable threat of a cyberattack.”

The plaintiffs also allege that Ticketmaster violated the California Consumer Privacy Act, the California Legal Remedies Act, and the California Unfair Competition Law.

Ticketmaster, which accounts for 80% of the ticketing industry, was also sued by the Department of Justice and 29 attorneys general for anticompetitive conduct.

“The recent legal action taken by the Justice Department, which filed a federal lawsuit last week accusing Ticketmaster and its parent company Live Nation of illegally monopolizing the live entertainment industry, also mentions Ticketmaster’s history of cybersecurity incidents and breaches,” Tausek added.

“This development is noteworthy, underscoring the inherent risk associated with industry consolidation. In concentrated and monopolized industries such as live entertainment with Ticketmaster, vulnerabilities to data breaches are heightened, amplifying the need for proactive security measures and response protocols.”

“In this current era of frenzied corporate acquisitions, it is important to not only view monopolies as dangerous to consumers’ wallets, but also dangerous from a cybersecurity perspective. While antitrust legislation is nothing new, hopefully, this increased cyber risk will be taken into account in anti-monopoly actions taken by various governments around the world, both through the prosecution of companies like Ticketmaster for holding illegal monopolies, and also through strengthening anti-trust legislation where appropriate.”

MORE ON DATA BREACHES AND SECURITY

• $10 Million SEC Fine for Intercontinental Exchange Over Delayed VPN Breach Report
• Cisco Duo MFA Third-Party Service Provider Breached, SMS Logs Stolen
• PCI DSS Compliance and Beyond: Why V4.0 is Not Enough
• CX vs. Data Security: Striking a Balance for Success