In a series of unsettling developments, Ticketmaster, the global ticket sales and distribution company, has once again fallen victim to a major cybersecurity breach. This time, hackers claim to have obtained barcode data for hundreds of thousands of tickets to Taylor Swift’s Eras Tour and are demanding millions of dollars in ransom. This latest attack underscores a worrying trend of increasing sophistication and audacity in cybercrime targeting major corporations.
The History of Ticketmaster Hacks
Ticketmaster has faced several cybersecurity incidents over the years. The most notable include:
- 2018 Data Breach: In June 2018, Ticketmaster disclosed a significant data breach involving personal information, including names, addresses, email addresses, telephone numbers, payment details, and Ticketmaster login details. The breach was attributed to a third-party supplier, Inbenta Technologies.
- 2020 Credential Stuffing Attack: In 2020, Ticketmaster was hit by a credential stuffing attack, where hackers used leaked usernames and passwords from other breaches to gain access to user accounts. This incident highlighted the vulnerability of password reuse among users.
- 2023 ShinyHunters Breach: In 2023, the hacking group ShinyHunters claimed responsibility for stealing the personal details of 560 million Ticketmaster customers. This breach exposed a vast amount of user data, including names, email addresses, and purchase history.
The Latest Extortion by Hackers
The latest breach, which has captured significant media attention, involves hackers allegedly leaking barcode data that can replicate real ticket codes for Taylor Swift’s concerts. This breach has put thousands of fans at risk of counterfeit tickets and potential financial losses.
Key Events in the Latest Breach:
- Initial Leak: Hackers initially leaked barcode data for 170,000 barcodes for sale, with about 20,000 for sale at each show including tickets to upcoming high-profile events, including Taylor Swift’s Eras Tour. This move was a clear attempt to demonstrate their capabilities and pressure Ticketmaster into paying a ransom.
- Ransom Demand: The hackers demanded a ransom of $2 million USD, threatening to release data for an additional 680 million users if their demands were not met. This extortion attempt has raised alarms about the security of ticketing platforms and the potential for large-scale fraud.
- Ticketmaster’s Response: Ticketmaster acknowledged the breach, attributing it to unauthorized access to a third-party data server provider. The company has assured users that no further suspicious activity has been detected on their platform and that they are working to secure their systems.
- Impact on Users: More than 500,000 Ticketmaster users have been affected by this breach, with many concerned about the security of their personal information and the validity of their purchased tickets.
- Industry Implications: This breach has wider implications for the ticketing industry, highlighting the need for robust cybersecurity measures to protect sensitive user data and prevent fraudulent activities.
How the Recent Hack Happened
The recent Ticketmaster hack highlights the vulnerabilities associated with third-party service providers, specifically focusing on the involvement of Snowflake, a cloud data platform. Here’s a detailed analysis of how the hackers managed to breach the system:
Initial Compromise
- Snowflake Account Compromise: The hackers exploited a critical vulnerability related to a former employee’s Snowflake account. This account was not protected by multifactor authentication (MFA), making it an easy target for attackers.
- Credential Theft: The attackers obtained the credentials of the former Snowflake employee, which allowed them to access the Snowflake environment used by Ticketmaster. This credential theft could have occurred through phishing attacks, social engineering, or purchasing stolen credentials from the dark web.
- Unauthorized Access: With the stolen credentials, the hackers gained unauthorized access to Snowflake’s cloud data storage, where Ticketmaster’s data, including sensitive information and ticket barcodes, was stored.
- Data Exfiltration: Once inside the Snowflake environment, the hackers exfiltrated a significant amount of data, including over 1.3 terabytes of ticket barcode information and other sensitive user data. This large-scale data theft occurred over a period, indicating that the breach went undetected for some time.
Specifics of the Vulnerability
- Lack of MFA: The absence of multifactor authentication on the compromised Snowflake account was a critical security lapse. MFA adds an extra layer of security by requiring users to provide two or more verification factors to gain access to a resource such as an application or an online account.
- Former Employee Account: The account in question belonged to a former employee, highlighting the risk associated with not properly deactivating or securing accounts of former staff members.
- Snowflake’s Role: Snowflake, as a third-party cloud data provider, was implicated due to the compromised account within their platform. Although Snowflake itself did not directly cause the breach, the security gap in their system allowed the attackers to exploit the situation.
Moving Forward
Ticketmaster is under significant pressure to enhance its cybersecurity protocols and reassure its customers. The company has promised to conduct a thorough investigation and implement stronger security measures to prevent future breaches. Additionally, affected users are advised to monitor their accounts for suspicious activity and avoid clicking on links or downloading attachments from unknown sources.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.