Ticketmaster Says Less Than 1,000 People Impacted By Data Breach

The disclosure contrasts with widely reported claims that hackers possessed data from 560 million Ticketmaster users.

Ticketmaster disclosed Friday that less than 1,000 people were impacted by a breach in the spring, contrasting with widely reported claims that hackers possessed data from 560 million Ticketmaster users.

In a breach notice posted by the Maine attorney general’s office, Ticketmaster LLC said the “total number of persons affected” amounts to fewer than 1,000.

[Related: Fallout From Snowflake Attacks Continues As Neiman Marcus Confirms Data Breach]

CRN has reached out to Ticketmaster for comment.

Ticketmaster’s sample notice sent to affected customers suggests the incident dates back as far as early April.

“Based on our investigation, we determined that the unauthorized activity occurred between April 2, 2024, and May 18, 2024,” the company said in the notice.

Impacted data might have included name and basic contact information, Ticketmaster said, while the notice suggests other unspecified data may have also been affected. The company said it determined that user information was impacted on May 23.

The comparatively narrow impact on customer data aligns with the May 31 regulatory filing from Ticketmaster parent company Live Nation, which suggested that the compromised cloud database contained unspecified “company data,” which “primarily” belonged to Ticketmaster rather than its customers.

Live Nation did not mention Snowflake in the U.S. Securities and Exchange Commission filing, but a Ticketmaster spokesperson told TechCrunch that the affected cloud database was operated by Snowflake.

The Ticketmaster breach is believed to have been part of a broad campaign by threat actors to target Snowflake customers with attacks utilizing stolen passwords. The list of other victims of the recent Snowflake attacks includes Santander Bank, Pure Storage, Advance Auto Parts and Neiman Marcus Group.

Mandiant researchers disclosed earlier this month that an estimated 165 organizations were potentially impacted in the Snowflake-focused attack campaign.

A cybercriminal group has been “suspected to have stolen a significant volume of records from Snowflake customer environments,” researchers at Mandiant, a major incident response firm owned by Google Cloud, said in a post at the time.

Impacted accounts have not been configured with multifactor authentication, Mandiant researchers confirmed.

Mandiant attributed the attacks to a previously unknown “financially motivated threat actor” it is now tracking as UNC5537.