Ticketmaster has started sending out warnings to customers that their personal information has been stolen. It is still unknown how many customers are involved. 

At the end of May, criminals claimed that they had stolen the data of 560 million Ticketmaster customers. This would involve 1.3 terabytes of data containing names, address details, telephone numbers, order details, and partial credit card details, which were offered for sale for $500,000 on the dark web. 

Ticketmaster did not issue a public warning but did inform the U.S. Securities and Exchange Commission (SEC) that a “third-party cloud environment” had been breached and that company data and personal information had been stolen. Ticketmaster and parent company Live Nation remained silent. 

Several security experts suggested – in collaboration with the alleged perpetrator – that the data had been stolen via Snowflake’s cloud platform. In response, Snowflake published a press release saying that the breach was not because of a vulnerability or misconfiguration of their platform. 

Ticketmaster states that it has taken several ‘technical and administrative’ measures to protect the security of systems and customer data, including changing passwords of the affected cloud environment, checking access permissions, and implementing additional alert mechanisms. No further details are given. 

When reporting to the Attorney General, companies often report the number of people affected during a data breach. Still, in this case, it only reports that the number was more than 1,000 people. 

Given that multiple credible sources verified the legitimacy of the breach, we can safely assume that the actual number is in the millions. According to the same sources who provided samples of the stolen data, the affected data includes full names, physical addresses, email addresses, credit card numbers (last four, hashed), telephone numbers, and financial history on the platform. 

In a joint statement with Mandiant and CrowdStrike, Snowflake stated there is no evidence suggesting that compromised credentials of Snowflake personnel caused the unauthorized activity. Instead, they attribute the breach (which has also affected companies like Pure Storage, Advanced Auto Parts, and Ticketek) to Snowflake customers’ fault, who failed to implement proper authorization protections on their accounts. 

Nearly a month after the SEC notification, Ticketmaster has now notified several U.S. state attorneys general that it will inform customers, and the sample letter has also been published. In it, the company states that attackers had access to the third-party cloud environment between April 2 and May 18 and stole personal information. The letter does not indicate exactly what information this concerns.