Monitor and Report
TLDR:
I’ve upgraded from Alert not Alarmed to Monitor and Report. This situation is pretty fluid so what I have below is accurate at time of release.
The Ticketmaster data has not been publicly declared sold at time of posting. Since it appears to be a poorly executed extortion attempt and also data sale attempt it is possible the data does not get sold.
Ticketmaster has suffered a data breach - but we don’t know how big it truly is.
Snowflake has suffered a cyber incident and is using vendor support to conduct IR.
The initial impact to Ticketmaster took place on 20 May 2024.
Snowflake was impacted sometime in the past few weeks.
At least two Snowflake customers, Ticketmaster and Santander bank have been confirmed as having data breaches.
Infostealers have been called out by multiple sources as being involved in the breaches. Exposed credentials via infostealers continue to cause damage across the cyber landscape.
It is unclear at this stage how big of an impact this incident will have.
Threat actors lie, it is possible they did not get all the 500 million customers information from Ticketmaster they claim.
Intro
This is a follow-up to the recent report I wrote and also an attempt to navigate this data breach situation, hopefully this is also useful for others who are trying to track and understand what is going on.
This is a community effort - I welcome anyone to use the information gathered here if it value adds to you. Also, if I have got things wrong or missed anything please let me know - Team Work makes the Dream Work.
Also, thanks to all the public sources who have shared their knowledge and insights that I have used throughout this report.
Timeline:
This is the timeline of events as I have been able to gather. I have provided two versions - links to referenced information are available below.
References :
https://www.sec.gov/Archives/edgar/data/1335258/000133525824000081/lyv-20240520.htm
https://www.mitiga.io/blog/tactical-guide-to-threat-hunting-in-snowflake-environments
https://www.404media.co/ticketmaster-confirms-hack-in-sec-filing/
What do we know?
It is clear at this point that Ticketmaster has suffered a confirmed data breach. It is also clear that Snowflake has had a cyber incident, both have likely resulted from infostealers and exposed credentials.
We know that at least some other customers of Snowflake have been impacted by cyber incidents, but if that is a direct result of Snowflake being impacted is not clear.
Infostealers are a persistent threat in the landscape and are causing significant damage.
What don’t we know?
Just how big are the claimed data breaches, in the case of Ticketmaster did they truly get over 500 million customers data information? Did they get less than that? What data was hosted on the Snowflake cloud at the time of the breach?
How wide spread is the Snowflake breach? We know they are saying its not directly from them, but they are also conducting incident response operations and have confirmed that stolen staff credentials were involved.
How many more companies will be linked to this cyber attack? Will anyone pay the poorly executed ransoms by the threat actor?
Has Ticketmaster really had over 500 million customers data stolen? Making it one of the biggest breaches ever?
It seems as if there is too much ambiguity around this breach to have any clear understanding of its legitimacy. Outside of knowing that Ticketmaster has had data stolen, the limited evidence given by the threat actor on Exploit means its hard to confirm what they truly took. Yes, VX Underground said they saw lots of personal identifiable information (PII) and 404Media said they saw at least 10,000 bits of data, but this is still well short of the claimed amount.
Taking another look at the evidence provided and you get the sense this could be fraud investigation data. One of the reasons being that the only Ticketmaster staff member details in the data sample is from the fraud department. If the data was from fraud investigations it would likely not be 500 million pieces of PII but something possibly smaller. But, at this stage its all hypotheticals and we will need to wait for either the threat actor to release all the data, or for Ticketmaster to provide an update.
Who could actually be behind the Ticketmaster breach and possibly the wider Snowflake breach? Do we care?
Multiple threat researchers reported to have spoken to the threat actor for the Ticketmaster breach ( I was not one of those researchers) I did however get exposed to the telegram handle of the threat actor and it has revealed some insights that are worth sharing.
Note: The following is my interpretation of information available at hand and provides a possibility not a definitive. Also threat actors lie.
Using the telegram handle provided we were able to do a pretty quick search and come up with additional information - notably, the account holder claimed that they had ‘hacked’ Santander, which we know has been confirmed as being impacted by a cyber incident. The other organizations shown in the post are unknowns and have been removed.
This at least links this Telegram account with at least one recent cyber incident.
What I found interesting about this account is that they frequent at least one chat community that has been heavily linked to a notorious ransomware gangs affiliates.
Then of course the threat actor themselves made a rather bold claim during a conversation.
There are two conclusions from this - The threat actor behind the Ticketmaster breach and possibly the Snowflake breach is a former affiliate of Scattered Spider, AlphV(Black Cat) OR, they are full of crap and desperate for attention and credibility. But the information presented makes it difficult to provide any confidence in an assessment.
I share this in case another researcher finds it of value.
Shinyhunters and BreachForums the only winners?
In this whole mess, with Ticketmaster and others pointing the blame at Snowflake and Snowflake putting the blame on their customers and with a threat actor that appears to have failed to make any money from what could be one of the worlds biggest breach has anyone won here?
Well, yes, Shinyhunters and BreachForums - through all this chaos Shinyhunters and their forum, BreachForums have continued to draw global media attention this comes after the FBI took down the forum in April 2024. The reposting of this data has allowed Shinyhunters to quickly reestablish BreachForums as the dumping ground of choice for threat actors and their data sales and sharing.
Conclusion
There are a few key take-aways we can get from the current situation around the Ticketmaster breach:
Infostealers are bad.
Exposed credentials are bad.
Cyber security is hard.
Threat actors will seek the path of least resistance, especially when it is presented to them.
Companies who do not control the narrative will always struggle to retake control against threat actors.
Regardless of the outcome for this breach it is becoming clear that both cyber security professionals and the general public are getting breach fatigue.