As if Ticketmaster had not earned enough negative sentiment already, the company now appears to be dealing with a massive data breach that involves payment information. The hacking group ShinyHunters, which has been around for several years and involved in a number of prior high-profile breaches, is claiming to have the contact information and partial payment information of about 560 million Ticketmaster customers.
It is possible that the scope of the data breach has been exaggerated. ShinyHunters are among the operators of Breachforums, which is where the stolen data (some 1.3 terabytes) was listed. Breachforums was just raided very recently, with substantial assets seized and one of its main operators arrested. The incident thus could be a spectacle to reassure it underground clientele that things are back to normal, but some security researchers believe there is solid evidence to indicate it is legitimate.
Ticketmaster data breach includes partial payment information, ticket order history
Ticketmaster has gone through decades of blows to its reputation, yet persists as the nation’s largest ticket vendor to such a degree that the DOJ just recently opened an investigation into its monopoly status. The company last made national news for angering Taylor Swift fans by letting bots snatch up masses of tickets to her recent world tour, but has also been involved with other data breaches in recent years: first as a victim in 2018, losing 40,000 UK customer records to the Magecart gang, and then as perpetrator of an odd hack on upstart rival company Songkick.
What can Ticketmaster customers expect from the recent data breach? As far as payment information, all that was exposed appears to be the last four digits of card numbers. But the attack also exposed contact information associated with Ticketmaster accounts, such as email addresses and phone numbers, and will likely lead to a big spike in phishing attempts. It remains unclear if all of the exposed accounts also had payment information leaked, as Ticketmaster has yet to acknowledge the breach or send out notifications.
Ticketmaster customers await full fallout of breach
At this point ShinyHunters has apparently attempted to collect a ransom from Ticketmaster, which does not appear to have been successful, and has moved to the “Plan B” of offering the cache of data for sale for $500,000. The worst outcome for Ticketmaster customers would be a public dump, though this usually happens some years after private sales take place as the value of the cache is gradually exhausted by cyber criminals.
There is still no indication of how the data breach took place, at least from official channels. But at least one well-known security research outfit, vx-underground on X, claims to have spoken to insiders and learned that a managed service provider was breached in April. This led to downstream access to Ticketmaster customers.
Ticketmaster customers have little to work with at the moment, not even a formal acknowledgement of a data breach from the company or an offer of free credit monitoring. The best hope is that ShinyHunters is inflating the size of the attack, either as a publicity stunt or some sort of rugpull attempt to extract a little more value out of a forum heavily compromised by law enforcement. The situation is oddly reminiscent of the hacking team’s 2021 encounter with AT&T, however, in which it claimed to have stolen some 20 million customer records and was met with great skepticism and full denial from the telephony giant. It later came out (in early 2024) that the breach was legitimate, and involved about 70 million records, when the tranche appeared on the dark web for public download.