5 Things Know On The Ticketmaster Breach

Live Nation disclosed that its Ticketmaster subsidiary was impacted by ‘unauthorized activity within a third-party cloud database environment.’

Live Nation disclosed Friday that its Ticketmaster subsidiary was impacted by malicious activity in a cloud database operated by a third party, which resulted in the theft of company data.

CRN reached out to Ticketmaster for further comment Monday.

Ticketmaster has reportedly identified Snowflake as the third-party cloud service, though Snowflake has said that its platform has not been breached.

ShinyHunters is the hacker group believed to be behind the breach, according to multiple media reports. In 2021, the group was connected to a breach of Astoria Co.

CRN reached out to Santander Bank, which multiple media reports have identified as another victim in the attacks by the ShinyHunters threat group. The company pointed to its May 14 statement on the incident, which disclosed that “certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed.”

What follows are five things to know about the Ticketmaster breach.

‘Unauthorized Activity’

In a filing with the U.S. Securities and Exchange Commission Friday, Live Nation said that it had “identified unauthorized activity within a third-party cloud database environment” on May 20.

The cloud database contained unspecified “company data,” which “primarily” belonged to Ticketmaster, Live Nation said.

The company said it began an investigation with assistance from “industry-leading forensic investigators.” Then on May 27, an unnamed “criminal threat actor” was observed offering “what it alleged to be [Live Nation] user data for sale via the dark web,” the filing said.

In addition to notifying law enforcement and regulators, Live Nation said it is also notifying users who have been affected by the “unauthorized access to personal information” stemming from the incident. The company has not disclosed how many users were impacted or what types of data were stolen.

Cloud Database Impacted

Live Nation did not mention Snowflake in the SEC filing Friday. However, an unidentified Ticketmaster spokesperson told TechCrunch that the affected cloud database was operated by Snowflake.

In response to the reports, Snowflake said in a post that it “has promptly informed the limited number of Snowflake customers who it believes may have been affected.”

Snowflake: We Weren’t Breached

However, the customers were not impacted as a result of compromised Snowflake employee credentials or a breach of the Snowflake platform, the company said in its post.

“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” the company said.

In response to an inquiry from CRN, a Snowflake spokesperson pointed to the same statement.

Additionally, “we have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel,” Snowflake said.

Stolen Credentials Blamed

Rather than a breach or compromised Snowflake employee credentials, the company said in its post that it believes that “threat actors have leveraged credentials previously purchased or obtained through infostealing malware.”

“This appears to be a targeted campaign directed at users with single-factor authentication,” Snowflake said.

Additionally, the company “did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee. It did not contain sensitive data,” the company said. This demo account was not protected by Okta or multi-factor authentication, Snowflake said.

CrowdStrike, Mandiant Weigh In

Snowflake said in its post that incident response teams from CrowdStrike and Mandiant agree with the company’s preliminary findings.

“Snowflake and third-party cybersecurity experts, CrowdStrike and Mandiant, are providing a joint statement related to our ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts,” the company said in its post.