The cybercriminal acting under the name “Sp1d3r” gave away the first 1 million records that are part of the data set that they claimed to have stolen from Ticketmaster/Live Nation. The files were released without a price, for free.

When Malwarebytes Labs first learned about this data breach, it happened to be the first major event that was shared on the resurrected BreachForums, and someone acting under the handle “ShinyHunters” offered the full details (name, address, email, phone) of 560 million customers for sale.

The same data set was offered for sale in an almost identical post on another forum by someone using the handle “SpidermanData.” This could be the same person or a member of the ShinyHunters group.

Following this event, Malwarebytes Labs advised readers on how to respond and stay safe. Importantly, even when a breach isn’t a “breach”—in that immediate moment when the details have yet to be confirmed and a breach subject is readying its public statements—the very news of the suspected breach can be used by advantageous cybercriminals as a phishing lure.

Later, Ticketmaster confirmed the data breach.

Bleeping Computer spoke to ShinyHunters who said they already had interested buyers. Now, Sp1d3r, who was seen posting earlier about Advance Auto Parts customer data and Truist Bank data, has released 1 million Ticketmaster related data records for free.

In a post on BreachForums, Sp1d3r said:

“Ticketmaster will not respond to request to buy data from us.

They care not for the privacy of 680 million customers, so give you the first 1 million users free.”

The cybercriminals that are active on those forums will jump at the occasion and undoubtedly try to monetize those records. This likely means that innocent users that are included in the first million released records could receive a heavy volume of spam and phishing emails in the coming days.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your exposure

While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Enlarge (credit: Ric Tapia via Getty)

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers.

About 165 customer accounts were potentially affected in the recent hacking campaign targeting Snowflake’s customers, but only a few of these have been identified so far. In addition to Ticketmaster, the banking firm Santander has also acknowledged that their data was stolen but declined to identify the account from which it was stolen. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.

Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.

Read 25 remaining paragraphs | Comments

Why the Snowflake Breach Matters

Ongoing Investigation and Preliminary Results in Snowflake Breach

Compromised Employee Account

Test Environments Targeted

Attack Path

Possible Reasons for the Breach

Unconfirmed Threat Actor Claims

Affected Customers from Snowflake Breach

• Santander Group: The company confirmed a compromise without mentioning Snowflake.
• Impact: Santander Bank staff and 30 million customers’ data has allegedly been breached.

• TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
• Impact: 560 Million TicketMaster user details and card info potentially at risk.

• LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
• Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.

• Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
• Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.

• Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
• Impact: The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.

Security Measures and Customer Support

Key Recommendations for Snowflake Customers:

1. Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
2. Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
3. Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
4. Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.

Not our fault, says CISO: “UNC5537” breached at least 165 Snowflake instances, including Ticketmaster, LendingTree and, allegedly, Advance Auto Parts.

The post Ticketmaster is Tip of Iceberg: 165+ Snowflake Customers Hacked appeared first on Security Boulevard.

In episode 333 of the Shared Security Podcast, Tom and Scott discuss a recent massive data breach at Ticketmaster involving the data of 560 million customers, the blame game between Ticketmaster and third-party provider Snowflake, and the implications for both companies. Additionally, they discuss Live Nation’s ongoing monopoly investigation. In the ‘Aware Much’ segment, the […]

The post Ticketmaster Data Breach and Rising Work from Home Scams appeared first on Shared Security Podcast.

The post Ticketmaster Data Breach and Rising Work from Home Scams appeared first on Security Boulevard.

Snowflake, Inc. says NO, threatening legal action against those who say it was. But reports are coming in of several more massive leaks from other Snowflake customers.

The post Was the Ticketmaster Leak Snowflake’s Fault? appeared first on Security Boulevard.

Ticketmaster and other organizations have been affected by a data breach at cloud AI data platform Snowflake.

The post Snowflake Data Breach Impacts Ticketmaster, Other Organizations appeared first on SecurityWeek.

Last week on Malwarebytes Labs:

• Data leak site BreachForums is back, boasting Live Nation/Ticketmaster user data. But is it a trap?
• The Ticketmaster “breach”—what you need to know
• Ticketmaster confirms customer data breach
• How to tell if a VPN app added your Windows device to a botnet
• Beware of scammers impersonating Malwarebytes
• How to turn off location tracking on iOS and iPadOS
• How to turn off location tracking on Android
• pcTattletale spyware leaks database containing victim screenshots, gets website defaced

Last week on ThreatDown:

• Okta suffers more credential stuffing attacks
• Operation Endgame—the largest ever battering for botnets
• North Korean threat actor behind new ransomware
• Akira ransomware gang: Who they are and how to prevent infection
• 140 Ascension facilities still reeling from ransomware attack
• Ticketmaster, Santander Bank breaches linked to Snowflake hack, threat actor claims

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Live Nation Entertainment has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach.

In a filing with the SEC, Live Nation said on May 20th it identified “unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary)” and launched an investigation.

The third party it refers to is likely Snowflake, a cloud company used by thousands of companies to store, manage, and analyze large volumes of data. Yesterday, May 31st, Snowflake said it had “recently observed and are investigating an increase in cyber threat activity” targeting some of its customers’ accounts. It didn’t mention which customers.

In the SEC filing, Live Nation also said:

On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

The user data likely refers to the sales ad for 560 million customers’ data that was posted online earlier this week by a group calling themselves ShinyHunters. The data was advertised for $500,000 and says it includes customer names, addresses, emails, credit card details, order information, and more.

Bleeping Computer says it spoke to ShinyHunters who said they already had interested buyers, and believed one of the buyers that approached them was Ticketmaster itself.

Ticketmaster says it has begun notifying its users of the breach. We are likely to hear more in the coming days, and will update you as we do.

For now, Ticketmaster users should keep an eye on their credit and bank accounts for an unauthorized transactions and follow our general data breach tips below.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Scan for your exposed personal data

While the Ticketmaster data is yet to be published in full, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

The ShinyHunters hacking group has claimed the theft of 560 million Ticketmaster users’ data on a fresh BreachForums portal.

The post Hackers Boast Ticketmaster Breach on Relaunched BreachForums appeared first on SecurityWeek.

Earlier this week, a cybercriminal group posted an alleged database up for sale online which, it says, contains customer and card details of 560 million Live Nation/Ticketmaster users.

The data was offered for sale on one forum under the name “Shiny Hunters”. ShinyHunters is the online handle for a group of notorious cybercriminals associated with numerous data breaches, including the recent AT&T breach.

The post says:

“Live Nation / Ticketmaster

Data includes

560 million customer full details (name, address, email, phone)

Ticket sales, event information, order details

CC detail – customer last 4 of card, expiration date

Customer fraud details

Much more

Price is $500k USD. One time sale.”

The same data set was offered for sale in an almost identical post on another forum by someone using the handle SpidermanData. This could be the same person or a member of the ShinyHunters group.

According to news outlet ABC, the Australian Department of Home Affairs said it is aware of a cyber incident impacting Ticketmaster customers and is “working with Ticketmaster to understand the incident.”

Some researchers expressed their doubts about the validity of the data set:

While others judged it looks legitimate based on conversations with involved individuals, and studying samples of the data set:

Whether or not the data is real remains to be seen. However, there’s no doubt that scammers will use this opportunity to make a quick profit.

Ticketmaster users will need to be on their guard. Read our tips below for some helpful advice on what to do in the event of a data breach.

You can also check what personal information of yours has already been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

All parties involved have refrained from any further comments. We’ll keep you posted.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Notorious data leak site BreachForums appears to be back online after it was seized by law enforcement a few weeks ago.

At least one of BreachForums domains and its dark web site are live again. However, questions have been raised over whether it is a genuine attempt to revive the forums once again or set up as a lure by law enforcement to entrap more data dealers and cybercriminals.

The administrator of the new forum posts under the handle ShinyHunters, which is a name associated with the AT&T breach and others, and believed to be the main administrator of the previous BreachForums.

Yesterday, ShinyHunters posted a new dataset for sale that allegedly stems from Live Nation/Ticketmaster.

“Live Nation / Ticketmaster

Data includes

560 million customer full details (name, address, email, phone)

Ticket sales, event information, order details

CC detail – customer last 4 of card, expiration date

Customer fraud details

Much more

Price is $500k USD. One time sale.”

But, an avatar and a handle are easily copied, and there are a few things that raised our spidey-senses that something is up.

First, the data set was offered for sale on another dark web forum by a user going by SpidermanData with the exact same text.

Second, this data set seems way too big for its nature. Live Nation and Ticketmaster are big enough to be considered a monopolist, but 560 million users seems like a stretch.

After looking at the shared evidence, security researcher CyberKnow tweeted:

“While there is some new data in the shared evidence there is also old customer information, making it possibly this is a series of data jammed together.”

Third, a new feature is that visitors need to register before they can see any content. Why would the administrators change that?

And, last but not least, would the FBI let the cybercriminals regain control over the domains that easily? That would be quite embarrassing.

So, we dare conclude that this dataset’s goal is to generate some attention and act as a lure to let old forum users know that BreachForums is alive and kicking. But who is running the show, is the question that we hope to answer soon.

Stay tuned for updates on this developing story.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check if your data has been breached

Our Digital Footprint portal allows you to quickly and easily check if your personal information has been exposed online. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.