Ticketmaster Cyberattack: Impact and Response Measures

The personal data of 560 million Live Nation customers, parent company of Ticketmaster, was potentially compromised due to unauthorized activity in its database. However, researchers suggest this breach might be linked to a larger hacking campaign. 

On June 1, Live Nation confirmed “unauthorized activity” in its database. This statement came after the hacker group ShinyHunters claimed to have stolen the personal data of 560 million customers. 

ShinyHunters, a group known for its illicit cyber activities, claimed to have obtained 1.3 terabytes of Ticketmaster user data, including names, addresses, phone numbers, order details and credit card information. According to Hack Read, this data was being sold on the dark web for US$500,000. Ticketmaster, as reported by the BBC, declined to confirm these details publicly and chose to notify shareholders late Friday night.

“If the data hack is as extensive as ShinyHunters claims, it could be the most significant breach ever in terms of numbers and extent of data stolen,” the BBC stated in an article.

Live Nation emphasized that Ticketmaster account passwords do not appear to have been compromised, although users are advised to change their passwords as a precautionary measure, according to Brett Callow, cybersecurity analyst, Emsisoft.

This is not the first time Ticketmaster has faced cybersecurity issues. In November last year, the company allegedly suffered a cyberattack that led to problems with ticket sales for Taylor Swift's The Eras Tour. “These incidents highlight the vulnerability of digital platforms to cyber threats and the need for robust security to protect users' personal data,” noted the BBC.

The US Department of Justice (DOJ) has previously reported that ShinyHunters, allegedly responsible for the hack, has traded stolen data from more than 60 companies since the early 2020s. Among the victims are technology, stock trading, apparel and nutrition and fitness companies. 

Just as the attack became known, researchers noted that the infiltration of Ticketmaster could be part of a broader hack involving cloud service provider Snowflake, used by many large companies to store data in the cloud.

Snowflake notified its customers about an increase in cyber threat activity targeting some accounts. However, days later, along with CrowdStrike and Mandiant, Snowflake stated that there was no concrete evidence that its platform was responsible for the snooping. 

The joint investigation ruled out that the activity was caused by a vulnerability, misconfiguration or breach of Snowflake's platform. They identified that the attack appears to have been a campaign targeting users with single-factor authentication, leveraging previously purchased or malware-obtained credentials.

Hudson Rock, a security firm that had published a preliminary report suggesting that hundreds of Snowflake accounts may have been compromised, removed its report after receiving a letter from Snowflake's legal counsel. In a post on LinkedIn, Hudson Rock stated that, based on the ongoing investigation, they do not believe the activity is caused by any vulnerabilities or malicious activity within the Snowflake product.

In response to this incident, various entities have proposed security measures for users. Raffi Jamgotchian, CEO of Triada Networks, recommended general digital hygiene practices to protect personal data. Odysseas Papadimitriou, former Capital One executive, suggested monitoring card activity linked to Ticketmaster accounts. David Bader, a professor at the New Jersey Institute of Technology, advised users who suspect a data breach to contact their credit card provider for replacement cards and to monitor their credit reports through agencies such as TransUnion, Experian and Equifax.

Papadimitriou also emphasized the importance of not sharing too much personal information, as it can facilitate identity theft. Bader also stressed that unexpected requests for information should never be answered over the phone, and that any suspicious calls should be reported to the service provider, as it may indicate a broader attack.

To protect login information, multifactor authentication is recommended. Jamgotchian suggests using methods such as pop-ups, generated codes or text messages to authenticate identity when logging in. In addition, Papadimitriou advises updating Ticketmaster account passwords as a preventative measure.