560 Million Human Identities Have Been Stolen. Who’s at Risk?
The Ticketmaster / LiveNation Data Breach Will Be Remembered as One of the Largest Cybersecurity Blunders in Modern Times. What Subset of Users is Likely to be the Most Affected?
What happened?
Ticketmaster and its parent company Live Nation experienced a significant data breach. The cybercriminal group ShinyHunters claimed responsibility for the hack, which allegedly compromised the personal information of 560 million customers. The stolen data includes names, addresses, phone numbers, email addresses, partial credit card details (last four digits and expiration dates), and other sensitive information. The group is reportedly selling the data on the dark web for $500,000.
Why is this a big deal?
Aside from the astronomical number of people whose lives are now at real risk of fraud and identity theft, the key reason why this is critical is that entertainment tickets are not considered to be a hugely sensitive part of life, so most people don’t pay particular attention to how they protect their accounts and passwords on these platforms. Naturally, they trusted the company to protect their identities and will be disappointed to find that their confidence was misplaced. However, numerous research studies from diverse sources including Verizon, Norton and Bitwarden point to the fact that between 65% and 85% of users admit to reusing passwords across platforms and accounts.
The perception of sensitivity being lower as it pertains to Ticketmaster, those passwords are likely to have been reused across a slew of other accounts, opening users to the real risk of password stuffing: the malicious practice of trying one password across a wide range of sites and services in the hope of exploiting password reuse practices and taking over a larger part of a victim’s identity.
What data was stolen?
According to the criminal team that stole the data and put it up for sale, the 1.3 terabyte trove of information includes names, addresses, phone numbers, email addresses, partial credit card details (last four digits and expiration dates), and other sensitive information. The fact that the group is reportedly selling the data on the dark web for only $500,000 is suspicious because we have seen a lot less stolen data go for a lot more money.
Take for instance the recent $25 million London Drugs extortion attempt. That amount was (allegedly) only for employee data and at most 300 gigabytes of data. To add to the suspicion, Ticketmaster identified unauthorized activity in their systems on May 27, 2024, when the hacker group ShinyHunters — which has now made a name for itself breaching AT&T, Pizza Hut and Santander Bank—began offering stolen customer data for sale on the dark web.
But seriously, why only half a million bucks for one of the largest data troves in history? The answer is as sinister as it is simple. The data is not for Ticketmaster or any small time crook to buy. It is intended for purchase by serious cybercrime groups who in turn can reuse it to victimize ticketmaster customers, event organizers and other entities whose confidential data was stored in the compromised database.
In effect, ShinyHunters is not your typical cybercrime organization, like the infamous LockBit cyberextortion group that breached London Drugs. Instead, it acts as a supplier to such organizations by initially breaching defenses and selling the stolen access to other entities within the broader criminal ecosystem. In this way, an Initial Access Broker (IAB) like ShinyHunters can avoid negotiating ransoms or micromanaging transactions with small players, preferring instead to play a much more critical role in facilitating large-scale cyber attacks and other malicious activities by offering a fundamental service to their industry.
As a new kind of industry player, IABs are as effective as they are dangerous, because they commoditize sophisticated hacks, making sensitive data and access easily available to the larger ecosystem of specialized threat actors and bottom feeders with different degrees of competence. Overall, they have the potential to vastly enlarge the cybercrime world by increasing access, impact, affordability and collaboration.
This may well be the reason why Ticketmaster had no warning of the breach, publicly stating that they detected the incident when the data went up for sale on the Dark Web.
Is that a little too late?
I’m not the only one to think so. A lawsuit filed immediately after the breach was made public says that Ticketmaster failed to notify customers of the alleged breach. “Defendants have not released a statement nor notified its customers that their private information has been compromised and is likely in the hands of threat actors. Ticketmaster consumers are in the dark, unaware that their private information may be used to effectuate identity theft, phishing scams, plunging credit scores and related cybercrimes.
Additionally, the lawsuit alleges that the Ticketmaster breach was “a direct result of the Defendants’ failure to implement adequate and reasonable cybersecurity procedures and protocols, consistent with the industry standard necessary to protect private information from the foreseeable threat of a cyberattack.”
Reports of the hacking come a week after LiveNation, which owns Ticketmaster, was sued by the US Department of Justice across 30 states, over claims it is running an illegal live event “monopoly”, driving up prices for fans and pushing out smaller competition.
Who is responsible?
While we know that Ticketmaster / LiveNation is ultimately the organization accountable for the harms caused to the victims of this catastrophic breach, it appears that another company may be responsible for at least part of the security compromise.
Snowflake is a big data — er… it is an AI Data Cloud for Mobile data and apps — platform used by companies like Santander Bank, Ticketmaster and 9435 others to analyze monumental amounts of customer data or “learn, build, and connect with their data-driven peers”. This past week, Australia’s Cyber Security Center issued a High alert indicating that it is “aware of successful compromises of several companies utilizing Snowflake environments”. By some indications, Snowflake clients may have been impacted by unauthorized access to ServiceNow admin accounts stolen using keyloggers or data stealers on employee machines and exploited by bypassing the OKTA authentication process.
Multiple security companies have come forward alluding to a large number of Snowflake clients having suffered recent security incidents and even current data breaches, as yet unannounced. In the meantime, Snowflake acknowledged a limited breach and published some basic recommendations for securing accounts, being careful not to take full responsibility for the rapidly expanding blast radius.
Who is at the highest risk?
While some people are making light of the situation, others are demonstrating distrust and even contempt for the ticketing giant:
But seriously, who is really likely to be affected?
- people who did in fact reuse passwords
- people who rarely enable multifactor authentication
- people unfamiliar with the breach, who are more likely to click a phishing link as a result.
The criminal group ShinyHunters is particularly adept at creating cloned websites and catchy phishing emails in the hope of socially engineering their victims into clicking through, so it makes sense for literally everyone to now:
- ensure that their Ticketmaster password was not used anywhere else, and change it if it was
- enable multifactor authentication on every account that offers it
- monitor credit ratings and payment card statements
All of these are reasonable recommendations at the best of times, but it’s interesting how a catastrophic breach focuses the mind on retroactively adopting cyber hygiene and information security best practices.
Finally, the impact on the entire supply chain should not be underestimated. Event organizers in particular, whose dependence on LiveNation and Ticketmaster is critical, are likely to experience their own reputational impact and other harms as a result of the massive hack.
The big question
The main question on everyone’s lips should now be: why was sensitive information not encrypted and why were passwords not hashed? As everyone may recall, hashing is a way to irreversibly scramble data so that it can never be decrypted. When implemented properly, this technique works to prevent data breaches and access compromises like the one we are discussing.
Last week’s introduction of ChatGPT 4o seemed like a good time to ask the newly-sharpened AI tool about that. Here’s what it said:
As of now, there are no detailed reports confirming whether the passwords involved in the Ticketmaster breach were hashed or encrypted. Typically, well-managed companies use hashing to store passwords securely. Hashing is a one-way function that converts passwords into a fixed-length string of characters, which cannot be reversed. Encryption, on the other hand, is a two-way function that allows data to be decrypted back into its original form using a key.
If it turns out that passwords were not encrypted or hashed, it could be due to several possible reasons:
Legacy Systems: Older systems might not have been designed with modern security practices in mind. Upgrading such systems can be complex and costly.
Lack of Compliance: Some organizations might not strictly adhere to best practices for data security, either due to oversight or lack of regulatory pressure.
Complexity and Cost: Implementing strong encryption and hashing mechanisms can be technically challenging and expensive, especially for large-scale operations with extensive legacy infrastructure.
Data Management Practices: In some cases, the focus might be more on operational efficiency than on security, leading to inadequate data protection measures.
Third-Party Vendor Vulnerabilities: Sometimes, the breach occurs through third-party service providers who may not implement strong security measures, as was seen in the 2018 Ticketmaster breach via a third-party customer support provider.
For a more precise answer, Ticketmaster or the forensic investigators involved in the breach would need to provide detailed information on the security measures that were in place.
I’ll leave the last word to the reddit users whose diverse opinions in situations like these, always seem to result in the unfortunate truth bubbling up to the surface, be it through dismay, sarcasm or derision: