Ticketmaster has started to notify customers who were impacted by a data breach after hackers stole the company’s Snowflake database, containing the data of millions of people.

“Ticketmaster recently discovered that an unauthorized third party obtained information from a cloud database hosted by a third-party data services provider,” reads a data breach notification shared with the Office of the Maine Attorney General.

“Based on our investigation, we determined that the unauthorized activity occurred between April 2, 2024, and May 18, 2024. On May 23, 2024, we determined that some of your personal information may have been affected by the incident. We have not seen any additional unauthorized activity in the cloud database since we began our investigation.”

Ticketmaster says that the breach exposed customers’ names, basic contact information, and “<extra>” information, which is different depending on the user.

The company recommends customers “remain vigilant” against identity theft and fraud and has offered one year of free identity monitoring to track their credit history.

While Ticketmaster lazily said the breach only impacted more than 1000 people (“>1000”), it actually impacted millions of customers worldwide and exposed what many would consider much more sensitive information.

Ticketmaster’s Snowflake data theft attack

Last month, a threat actor known as ShinyHunters began selling stolen data from Live Nation/Ticketmaster, claiming it contained the personal information and credit card information of 560 million users.

The threat actors used compromised Ticketmaster credentials that did not have multi-factor authentication enabled to steal the data from their Snowflake account.

Snowflake is a cloud-based data warehousing company used by the enterprise to store databases, process data, and perform analytics.

ShinyHunters began selling the data on May 28 on a well-known hacking forum for $500,000. The threat actor claimed that the data was 1.3TB and contained information for 560 million customers, ticket sales, event information, customer fraud, and partial credit card information.

Ticketmaster data sold on a hacking forum
Ticketmaster data sold on a hacking forum

Samples of the data seen by contained more than just “basic contact information,” including full names, email addresses, phone numbers, addresses, hashed credit card details, and payment amounts.

After remaining silent for days, Ticketmaster eventually confirmed the breach on May 31, in a Friday evening SEC filing, stating that they did not believe the breach would have a material impact on their company.

Ticketmaster’s breach is one of many recent data theft attacks linked to the Snowflake database platform.

joint investigation by SnowFlake, Mandiant, and CrowdStrike revealed that a threat actor, tracked as UNC5537, used compromised customer credentials to target at least 165 organizations that had not configured multi-factor authentication protection on their accounts.

To breach Snowflake accounts, the threat actor used credentials stolen by information-stealing malware infections dating back to 2020.

Recent breaches linked to these attacks include Neiman MarcusSantanderTicketmasterQuoteWizard/LendingTreeAdvance Auto PartsLos Angeles Unified, and Pure Storage.