Everything You Should Know About the Ticketmaster Data Breach

Things are simply not going well for the Live Nation Entertainment conglomerate and its subsidiary Ticketmaster. Back in May 2024, the U.S. Justice Department (DOJ) initiated legal action against both companies for violating federal and state laws related to "antitrust, competition, unlawful or unfair business practices, restraint of trade, and other causes of action."

The lawsuit marks an endgame to Ticketmaster’s 2022 ticketing debacle, which affected ticket sales for the American leg of Taylor Swift’s Eras Tour. Already then, the company’s fiasco led to several fans filing lawsuits against the platform over price fixing, fraud, antitrust, intentional deception, and other violations.

Both Live Nation and Ticketmaster have denied guilt, attributing the lawsuit to competitors who try to limit competition and ticket brokers who want to continue "jacking up the prices."

Now, just a month after the DOJ lawsuit, Ticketmaster is facing another significant issue. In recent emails sent to its customers, the company confirmed a massive breach of its data. In the notice, Ticketmaster says that "an unauthorized third party obtained information from a cloud database hosted by a third-party data services provider" between April 2 and May 18, 2024.

Information about the breach first resurfaced at the end of May 2024. In a post published on the cybercrime platform Breach Forums, the notorious ShinyHunters hacking group claimed to have stolen the personal data of 560 million users across the USA, Canada, and Mexico. This reportedly amounts to 1.3 terabytes of data. An investigation revealed that the hackers accessed data by stealing the login details from Snowflake, the company managing Ticketmaster’s cloud storage account.

As reported by Hackread, ShinyHunters has allegedly accessed a "treasure trove" of sensitive user information, including their full names, addresses, email addresses, phone numbers, ticket sales details, event information, and order details. They have also obtained partial card payment data, including customer names, the last four digits of their card numbers, the expiration dates, and even customer fraud details. As a cherry on top, the hacker group has put all the data up for sale with an initial asking price of $500,000.

While Ticketmaster acknowledged the breach, validating ShinyHunter’s post and Hackread’s initial report, it denied that the cyberattack would materially impact its business operations. The company also said it was cooperating with law enforcement and taking steps to mitigate any risk to its users.

In early July, new details emerged indicating that the breach was much bigger than anticipated. Just in time for the annual Independence Day celebrations, ShinyHunters claimed to have stolen a total of 193 million ticketing barcodes. These include 440,000 Taylor Swift Eras Tour tickets, valued at $22 billion.

In yet-another thread on Breach Forums, titled “Ticketmaster event barcodes ‘Taylor Swift’ pt 1/65000,” the group suggested that Swift would be “performing in front of the congress” instead of her tour, indicating the breach’s far-reaching consequences and public exposure.

Additionally, ShinyHunters alleged that Live Nation originally offered to pay $1 million to keep the breach hidden from the public, with the hackers originally accepting the offer. However, after processing the data, they decided to increase their ransom ask to $8 million. They justified this increase by claiming they had found ways to make the breach more expensive and complicated for the affected company.

“Due to the nature of company ending exfil event after the crosswalk, [we] no longer accept $1M as we found out how to make way more expensive and insurance surely accepts this; we restart negotiations at $8M let the negotiator and insurance now. Otherwise for buyers $8M and you’re going first.”

The hacking group has also revealed the extensive nature of their actions in this post, claiming to have gained access to:

• 680M orders details,

• 980M sales orders,

• 1.2 billion party lookup records,

• Patron table,

• 400M encrypted credit card details with partial information,

• 560M AVS (Address Verification System) detail records,

• 4M encased and de-duped records, and

• 440M unique email addresses.

They didn’t forget to celebrate their achievements, claiming their attack to be the largest publicly-disclosed non-scrape breach of customer PII (Personal Identifiable Information) up to date.

Following ShinyHunters' post, another Breach Forum user who goes under the name “Sp1d3rHunters” shared a new listing of 170,000 leaked Taylor Swift’s Eras Tour ticket barcodes. They demand a $2 million ransom and threaten to leak the information of 680 million users and 30 million more event barcodes to more Taylor Swift events, P!nk, Sting, F1 Formula Racing, NFL, and thousands more entertainment events.

While “Sp1d3rHunters” are believed to be related to the original group of hackers, this information has yet to be validated. In the worst-case scenario, Ticketmaster has been hacked and is now being blackmailed by two separate hacking groups. Another, more likely, possibility is that the hackers are trying to get as much money from the data breach as possible.

As of the time of writing, the thread published by ShinyHunters is no longer available. The only listing of breached customer data from Ticketmaster on the forums is the one published by Sp1d3rHunters requesting the $2 million ransom.

Ticketmaster didn’t take long to react to the threats made by the hacking group(s), asserting that no ticket information had been stolen. The company's statement revealed that its SafeTix technology prevents ticket theft by automatically refreshing the barcodes “every few seconds.” “This is just one of many fraud protections we implement to keep tickets safe and unassailable,” the company alleges.

Ticketmaster also denied any involvement in ransom negotiations, stating that, “Some outlets are inaccurately reporting about a ransom offer. We were never engaged for a ransom and did not offer them money.”

However, the accuracy of the Ticketmaster’s statement is now being challenged by both Hackread and the hacker group Sp1d3rHunters. In a follow-up thread, Sp1d3rHunters pointed out that Ticketmaster’s comments do not address physical tickets.

“Our Response: Ticketmaster lies to the public and says barcodes can not be used,” reads Sp1d3rHunters’ statement. “Tickets database includes both online and physical ticket types. Physical ticket types are Ticketfast, e-ticket, and mail. These are printed and can not be automatically refreshed.”

Sp1d3rHunters further emphasized their point by issuing a ransom demand: “To Ticketmaster: Ticketfast is [the] smallest number of printable tickets,” a separate ransom demand reads. “You now have to reset 30k more tickets. Pay us $2million or we will leak the Mail and E-ticket barcodes for all your events.” With the demand, they also published “4-Step Guide to make your own Tickfast [sic] event PDFs with TM’s official ticket guide.”

In addition, on July 12, the hackers leaked another 10 million reportedly ‘un-refreshable’ tickets (mail and E-tickets) to events and concerts featuring stars like Pearl Jam, Jennifer Lopez, Foo Fighters, Hozier, Rolling Stones, and Taylor Swift.

Amid the ongoing controversy and investigations, Ticketmaster is already facing severe consequences. In May, two California residents filed a nearly 40-page class action lawsuit in California’s Central District Court over the data breach. The plaintiffs allege that both Live Nation and Ticketmaster failed to adequately secure their personal information, including full names, addresses, email addresses, partial payment card information, and more.

The lawsuit accuses Ticketmaster of negligence, breach and fiduciary duty, and other failings, citing the company’s inability “to implement and follow even the most basic security procedures.”

According to the plaintiffs, the 560 million individuals affected by the breach will face long-term repercussions, including an “increased risk of identity theft, and will consequentially have to spend, and will continue to spend, significant time and money to protect themselves.” The legal text also emphasizes the potential “emotional pain and mental anguish and embarrassment” that the victims may experience.

Overall, the submitted suit seeks to establish a nationwide class for all U.S. residents whose information was reportedly lifted and a subclass for California residents.