Colossal Ticketmaster leak appears legit, millions affected


The alleged Ticketmaster breach of “absolutely massive” proportions, exposing 560 million customers, appears to contain authentic data, researchers say. Authorities have approached Ticketmaster to “understand” the incident.

Researchers from vx-underground, talking to well-informed individuals involved in the alleged Ticketmaster breach, were provided with a large data sample. Vx-underground is an anonymous threat analyst group, regularly posting bulletins on X regarding threat actors.

“Based on data provided to us by the Threat Group responsible for the compromise, we can assert with a high degree of confidence the data is legitimate. Date ranges in the database appear to go as far back as 2011. However, some dates show information from the mid-2000s,” vx-underground tweeted.

ADVERTISEMENT

The latest entries with transaction data are from March 10th, 2024. However, there may be later records. Even as a sample, it was “absurdly large and made it difficult to review in-depth,” researchers noted.

The leak exposes personal information that includes full names, email addresses, physical addresses, telephone numbers, hashed credit card numbers, their types, authentication type, and “all user financial transactions.”

According to the individuals involved in the incident, “sometime in April,” an unidentified threat group got unauthorized access to Ticketmaster Amazon Web Services (AWS) instances by pivoting from a company that provides IT services to Ticketmaster.

ShinyHunters, a threat actor that put the data up for sale on rebooted illicit marketplace BreachForums for $500,000, doesn’t take credit for the breach, as “they are acting as a proxy for the Threat Group responsible for the compromise.”

Troy Hunt, a security consultant who runs data-breach search website Have I Been Pwned, described the incident scale as “absolutely massive” if it’s legit.

The Australian Department of Home Affairs confirmed to ABC News that it was aware of a cyber incident impacting Ticketmaster customers and “is working with Ticketmaster to understand the cybersecurity incident.”

ADVERTISEMENT

A US embassy spokesperson told AFP that the FBI has offered assistance to Australian authorities.

However, Ticketmaster has not yet acknowledged whether the alleged breach happened. Ticketmaster has not responded to Cybernews’s or any other media inquiries for more details.

ShinyHunters emerged as an international cyber threat group in 2020. It’s a perpetrator of the illicit marketplace BreachForums, which was recently seized by the FBI and later retaken. One of their largest breaches, the AT&T database containing over 70 million customer records, is eight times smaller than the alleged Ticketmaster leak.