Ticketmaster attack does more than rub salt in wounds

The latest rash of security breaches raises worries of a pattern of stolen credentials being used for data theft from the cloud, says Jason Walsh

7 June 2024

Live Nation Entertainment, owners of ticket sales platform Ticketmaster, have become the latest victim of mass scale cyber crime. According to a filing with US financial regulator, the Securities and Exchange Commission (SEC), the site has “identified unauthorised activity within a third party cloud database environment”.

Cyber crime group ShinyHunters is believed to be behind the attack, taking personal information relating to 500 million Ticketmaster customers.

Ticketmaster, not exactly a beloved company, is one of the largest online ticket sales platforms in the world. Having their details stolen – it is not known yet exactly what information the hackers have grabbed – is certainly going to sting, given widespread bad feeling about high ticket prices and fees. 




There is a broader picture than salt being rubbed into consumers’ wounds, though.

Breaches have been coming thick and fast of late. Last Friday it was reported that Australian outfit Tiketek had been compromised and this week hospitals in London were hit with a ransomware attack. The bank Santander has also admitted it has been hit and customer information stolen.

Coincidence or not, the breaches follow the reappearance of infamous cyber crime website BreachForums in late May, also under the control of ShinyHunters.

Indeed, the Ticketmaster hack appears to be part of a wider plot targeting cloud platform Snowflake, which was also used by Santander. Notably, Ticketmaster’s statement to the SEC pointed to its unnamed cloud provider, while a statement issued by Santander noted the compromising of a database stored with a “third party provider”.

Snowflake has acknowledged unauthorised access to some customer accounts, but says it was “limited”. In a recent post on its website, Snowflake said it has “not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform”.

That may be true, and it is obviously worth being sceptical of claims made on Internet forums by the very people hoping to extort vast sums of money from breached companies.

However, US government body, the Cybersecurity and Infrastructure Security Agency (CISA) has reported “Snowflake indicated [to the CISA] a recent increase in cyber threat activity targeting customer accounts on its cloud data platform”. The Australian Cyber Security Centre, part of the Australian Signals Directorate, meanwhile, said it was aware of “increased cyber threat activity regarding Snowflake customers”.

Snowflake has told customers to use multi-factor authentication (MFA), which, frankly, is always good advice. This is doubly true if, as is being suggested, the true source of the breaches is so-called “infostealing” malware.

Notably, TechCrunch says it has seen more than 500 credentials containing usernames and passwords linked to companies using the cloud provider.

“The exposed credentials appear to pertain to Snowflake environments belonging to Santander, Ticketmaster, at least two pharmaceutical giants, a food delivery service, a public-run freshwater supplier, and others,” wrote TechCrunch’s Zack Whittaker.

Infostealing has certainly been on the rise. For instance, a report published by IBM this year noted a 71% increase in the use of stolen credentials.

While we wait on the final word on the attacks, the best thing any organisation can do right now is implement, and insist on the use of, MFA.

Read More:

Back to Top ↑