The cyber attack on Ticketmaster

One of the most significant cyberattacks of the year might be underway. On Friday, May 31, 2024, Live Nation, the company behind Ticketmaster, confirmed a data breach after cybercriminals claimed to be selling half a billion customer records online. Santander, the banking giant, also reported that millions of customer and employee data had been compromised by the same group of hackers. The exact details of these breaches, including what information was stolen and how, remain unclear. The incidents appear to be linked to attacks targeting corporate accounts hosted by Snowflake, a US cloud provider whose clients include Adobe, Canva, and Mastercard, which store and analyze massive amounts of data there. Security experts believe other companies may soon reveal similar breaches. Currently, the situation remains complex and confusing. “Snowflake has recently observed and is investigating an increase in cyber threat activity targeting some of our customers' accounts,” wrote Brad Jones, Snowflake's Chief Information Security Officer, in a blog post on Friday.

The first signs of these breaches appeared on May 27, when an account on the cybercriminal forum “Exploit” announced the sale of 1.3 TB of Ticketmaster data, containing information on over 560 million people. The hacker was asking for $500,000 for this database. The group ShinyHunters, known for data theft since 2020, then posted the same announcement on BreachForums, a forum recently relaunched after being shut down by the FBI. On May 30, ShinyHunters claimed to have sold data from 30 million Santander customers and employees for $2 million. These announcements have reignited interest in the illegal market. Both hacks were linked to Snowflake by Israeli security company Hudson Rock, which published and then deleted conversations with the hacker claiming to have accessed Snowflake systems and attempted to resell the data for $20 million. Hudson Rock suggested that a Snowflake employee might have been infected by information-stealing malware. Charles Carmakal of Mandiant, a security company owned by Google, also indicated that information-stealing malware might be involved. Ticketmaster confirmed that its stolen database was hosted on Snowflake in a filing with the SEC. Santander had previously mentioned unauthorized access to a database “hosted by a third-party provider”, without naming the provider.Authorities are warning about the potential impact of these attacks. The Australian Cyber Security Centre issued a “high” alert, highlighting the compromises of several companies using Snowflake environments. It advises to reset account credentials, enable multi-factor authentication, and monitor user activity. “It appears that Snowflake has suffered a pretty significant security compromise,” said security researcher Troy Hunt from the well-known data breach notification website “Have I Been Pwned” in an interview with WIRED.

Security company Mitiga revealed that a threat actor is using an attack tool called “rapeflake” against Snowflake databases. Roei Sherman, Mitiga's Field CTO, indicates that little is known about this tool, but the attack could have wider repercussions in the future. Several affected companies have sought help from Mitiga, and Mandiant has assisted some of Snowflake's clients. He explains, “We have not yet seen the full extent of the fallout,” “Snowflake has thousands of customers, and some of their clients are large enterprises. We hope to learn more about other compromised companies.”