Live Nation, the parent company of Ticketmaster, has confirmed “unauthorized activity” on its database after hackers claimed to have stolen the personal details of 560 million customers. The revelation of the Ticketmaster data breach came through a filing to the U.S. Securities and Exchange Commission (SEC), where Live Nation disclosed that a criminal actor had offered what was purported to be company user data for sale on the dark web.
In a filing to the US SEC, Live Nation said that on 27 May “a criminal threat actor offered what it alleged to be Company user data for sale via the dark web”, and that it was investigating.
Company Mitigating Ticketmaster Data Breach
The company further informed in the filing that they are working to mitigate risk to their users and the Company, and have notified and are cooperating with law enforcement. “As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information,” reads the filling.
The Ticketmaster data breach was initially identified on May 20, 2024. This is when Live Nation detected unauthorized activity within a third-party cloud database environment primarily housing data from its subsidiary, Ticketmaster L.L.C.
On knowing this, Live Nation immediately launched an investigation with forensic investigators to determine the extent and nature of the data breach. According to the filing, the company is working diligently to mitigate risks to both its users and its overall operations.
The company said in the filing that as of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. “We continue to evaluate the risks and our remediation efforts are ongoing,” said the Officials of Live Nations in the filling.
Snowflake Coming Into Picture
What is more interesting is that a spokesperson for Ticketmaster told TechCrunch that its stolen database was hosted on a Boston-based cloud storage and analytics company, Snowflake. The Cyber Express earlier reported that a threat actor had allegedly taken responsibility for data breaches of Ticketmaster and Santander Bank, claiming they stole data after hacking an employee account at Snowflake.
However, at that time, Snowflake shot down these data breach claims, attributing the breaches to poor credential hygiene in customer accounts instead.
But now in light of the data breach, Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, provided a joint statement related to their ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts.
Snowflake said in a post that it had informed a “limited number of customers who we believe may have been impacted” by attacks “targeting some of our customers’ accounts.” However, Snowflake did not describe the nature of the cyberattacks, or if data had been stolen from customer accounts.
“We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity. To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product,” reads the Snowflakes bog.
Some of the Key Findings of Snowflake’s Investigation
- No evidence suggests that the activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.
- There is no evidence pointing to compromised credentials of current or former Snowflake personnel.
- The campaign appears to be targeted at users with single-factor authentication.
- Threat actors have leveraged credentials obtained through infostealing malware.
- A threat actor accessed demo accounts of a former Snowflake employee, which did not contain sensitive data and were not connected to Snowflake’s production or corporate systems. The accounts were not protected by Multi-Factor Authentication (MFA).
Along with the findings, they have also suggested some of the steps that affected organization need to take:
Recommendations for Enhanced Security
- Enforce Multi-Factor Authentication (MFA) on all accounts.
- Set up Network Policy Rules to allow access only to authorized users or from trusted locations (e.g., VPN, Cloud workload NAT).
- Reset and rotate Snowflake credentials for impacted organizations.
Live Nation’s infrastructure, including that of Ticketmaster, is primarily hosted on Amazon Web Services (AWS). Although AWS had not commented on the breach, a customer case study mentioning their involvement was recently removed from Amazon’s website.
Before this, Australian authorities, the Department of Home Affairs announced that it is investigating a cyber incident impacting Ticketmaster customers, “working with Ticketmaster to understand the incident,” said a spokesperson from the department