TicketMaster breach: Leaked credentials are the golden ticket once again

It had already been a challenging few weeks for Live Nation Entertainment, Inc. as they faced down a lawsuit from The Justice Department regarding anti-competitive practices. Things got worse at the end of May when a cybercriminal known as “SpidermanData” claimed to have breached a huge database of 560 million records (including personal and financial data) belonging to TicketMaster Entertainment, LLC – a Live Nation company.  

Outpost24’s Threat Intelligence team, KrakenLabs, has been analyzing the situation and looking into the role of leaked credentials. We’ll walk through what happened and share some advice on avoiding the same fate for your own organization.   

How was the breach discovered?  

On May 27th, a user nicknamed “SpidermanData” put a database up for sale on the underground “forum Exploit” that contained info from 560 million users They alleged the data belonged to Live Nation and TicketMaster (both companies fall under Live Nation Entertainment, Inc.). The user had registered on the forum on that same day and has shown no further activity beyond that original post. 

The next day, on May 28th, a known threat actor named “ShinyHunters” posted the same content on the underground forum “BreachForums”. This forum had been seized on May 15th by law enforcement authorities earlier this year. However, its administrators (with ShinyHunters among them) managed to get it back online on May 28th, exactly the same day that the Live Nation/TicketMaster database was put up for sale [1] [2]

How did the attackers gain access?  

Researchers from vx-underground managed to speak with individuals involved in the alleged breach, and on May 30th they published [3] this claim: “Sometime in April, an unidentified Threat Group was able to get access to TicketMaster AWS instances by pivoting from a Managed Service Provider (MSP). The TicketMaster breach was not performed by ShinyHunters group. ShinyHunters is the individual and/or group which posted the auction of the data, they are acting as a proxy for the Threat Group responsible for the compromise.” 

On June 1st, these same researchers said it had been confirmed that the MSP in question was Snowflake, an American cloud computing–based data cloud company. The individuals who claimed responsibility for the breach claimed said had gained access via an infostealer. 

On May 31st, security company Hudson Rock confirmed that a Snowflake employee’s credentials were stolen via a Lumma Stealer campaign. The information provided by the firm was based on a conversation in Telegram with the alleged threat actor. Security company White Intel corroborated that the account was compromised as well. Along with the TicketMaster compromise, the threat actor claimed authorship of other relevant data breaches that had been disclosed recently: Santander Bank, Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Part. 

It’s worth noting both posts from these security firms have now been removed due to ambiguities [4] [5] after Snowflake’s statements about the incident. However, an archived version of the Hudson Rock article can still be reached [6].  

What have TicketMaster and Snowflake said?  

On May 31st, Live Nation Entertainment, Inc. (TicketMaster’s parent company) filed an 8-K form to inform the Securities and Exchange Commission (SEC) [7] that on May 20th, they “identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its TicketMaster L.L.C. subsidiary)”. 

After being accused of acting as an unwilling entry vector, Snowflake, together with third-party cybersecurity experts, CrowdStrike and Mandiant, published their own joint statement on June 2nd. They said they were involved in an ongoing investigation into a targeted threat campaign against some Snowflake customer accounts [8]. Among their key preliminary findings, they claim that they “had not been able to identify as the cause of the activity, a vulnerability, misconfiguration, or breach of Snowflake’s platform and neither a compromised credential of current or former Snowflake personnel.” 

Snowflake did not deny what security firms had been saying over the previous days and confirmed they found evidence that “a threat actor obtained personal credentials to and accessed demo accounts belonging to a former Snowflake employee.” However, they said this account would not have given access to sensitive data. Furthermore, they claim the reason it became compromised was because was it was a demo account not secured with Okta or multi-factor authentication (MFA), unlike the usual set-up for Snowflake’s corporate and production systems. 

Snowflake does confirm that behind the current issue there “appears to be a targeted campaign directed at users with single-factor authentication,” and that “as part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware”. With these two key points, Snowflake are saying although they haven’t been compromised, they would have detected an active campaign against their clients where threat actors were using credentials previously compromised with infostealers to target accounts that have not been properly secured with multi-factor authentication. 

The company did not provide a public list of customers that they believe might have been affected but claimed to have promptly informed them. In addition, to assist its clients in investigating potential threat activity based on their findings, they provided some guidelines for clients to follow [9]

What conclusions can we draw? 

1. Both Snowflake and Live Nation (TicketMaster) have been compromised. 

One employee of Snowflake got their credentials stolen via a Lumma Stealer campaign, likely on October 5th, 2023 [6]. The compromised credentials belong to a demo account that was not behind Okta or Multi-Factor Authentication (MFA) [8]. This account was compromised and threat actors were able to access it. However, this account did not have access to sensitive data. Live Nation (TicketMaster) was compromised through a third-party cloud database environment containing company data [7]

Despite both compromises being true, what hasn’t been confirmed is the relationship between them. Snowflake has confirmed [8] that they have detected an active campaign against their clients where threat actors would be using credentials previously compromised with infostealers to target accounts that have not been properly secured with multi-factor authentication. However, they have denied that the cause of this activity would be a compromised credential of current or former Snowflake personnel.  

Live Nation has not confirmed nor denied yet if the access to the third-party cloud database environment containing company data was done using a compromised credential and neither if the account had MFA enabled or not. 

2. We can’t confirm the impact of the targeted campaign. 

Hudson Rock mentioned [6] at least nine potential victims related to this attack campaign. Security researcher Kevin Beaumont confirmed on June 1st, that six major organizations were running Snowflake incidents [10]. One of these companies would be Advance Auto Parts, whose data had already been put up for sale on BreachForums on June 5th [11]. Also citing Beaumont, Snowflake offers a free trial where anybody can sign up and upload data [12], and their authentication setup would not be an easy task [13]

If threat actors are indeed targeting Snowflake’s customers by leveraging credentials previously purchased or obtained through infostealing malware, it’s very likely that more customers will be affected. For these credentials to work out, these customers must also have single-factor authentication enabled, something more likely due to the complications highlighted by researchers for enabling the MFA. 

3. Identity-based attacks are in the spotlight over the last couple of months. 

Citing the alleged threat actors, vx-underground mentioned [3]Sometime in April an unidentified Threat Group was able to get access to TicketMaster AWS instances by pivoting from a Managed Service Provider.” Coincidentally, Okta security published on May 28, 2024, a warning for “suspicious activity that started on April 15” and that was related to endpoints used to support a cross-origin authentication feature in their Customer Identity Cloud (CIC) prone to being targeted by threat actors orchestrating credential-stuffing attacks [13]

Okta’s advisory comes right after Cisco Talos confirmed they were actively monitoring a global increase in brute-force attacks against a variety of targets, since at least March 18th, 2024 [14]. Based on their findings, the brute-forcing attempts were this time using generic usernames and valid usernames for specific organizations. It’s important to highlight that we’re not establishing a relation between all these advisories, but rather just pointing out the likelihood of the campaign that Snowflake mentioned in their statement. 

4. Credentials are (almost) always the root cause! 

Identity-based attacks can be achieved through brute-force but it’s more efficient to directly use a previously-compromised credential. The benefits of the second option are likely one of the reasons behind the massive spurge of infostealers infections nowadays. Recent reporting from Mandiant [14] and Kaspersky [15]  cite this type of malware as the most prevalent during the past year, with nearly 10 million devices falling victim to infostealers during 2023. 

To accommodate the huge amount of stolen information, the current credential theft ecosystem has also evolved and welcomed other business models such as the traffers organizations (check Outpost24 KrakenLabs analyst’s The Rising Threat of Traffers report for further information) together with other sharing platforms like the legitimate messaging application Telegram. 

5. Who’s really behind the attacks? 

Some researchers have dared to mention a possible implication of “Scattered Spider[16] in this new campaign. This idea would not be far-fetched since this group has already been involved in carrying out identity-based attacks. However, so far, we have not been able to gather conclusive information that would allow us to confirm this hypothesis. 

Secure your organization against leaked credentials  

Breaches like these highlight the importance of gaining visibility over whether your end users’ credentials have been leaked. Outpost24’s exposure management platform offers several ways to get your leaked credential risk under control: 

Unsure where to start? Speak to an expert about the best fit for your organization.


[1] Dark Web Informer [@DarkWebInformer]. (2024, May 28). Post. X. https://x.com/DarkWebInformer/status/1795237523238551694 

[2] vx-underground [@vxunderground]. (2024, May 30). Post. X. https://x.com/vxunderground/status/1796217510544527857 

[3] vx-underground [@vxunderground]. (2024, May 30). Post. X. https://x.com/vxunderground/status/1796063116574314642 

[4] Hudson Rock LinkedIn [@hudson-rock]. (2024, May 4). Post. LinkedIn. https://www.linkedin.com/posts/hudson-rock_activity-7203433945919578113-RH05/ 

[5] WhiteIntel Dark-Web Intelligence [@whiteintel_io]. (2024, June 1). Post. X. https://x.com/whiteintel_io/status/1796794483339669968 

[6] Archive – Hudson Rock. (2024, May 31). Snowflake, Cloud Storage Giant, Suffers Massive Breach: Hacker Confirms to Hudson Rock Access Through Infostealer Infection. https://web.archive.org/web/20240531140540/https://hudsonrock.com/blog/snowflake-massive-breach-access-through-infostealer-infection 

[7] United States Securities and Exchange Commission. (2024, May 31). FORM 8-K Live Nation Entertainment, Inc. https://www.sec.gov/Archives/edgar/data/1335258/000133525824000081/lyv-20240520.htm 

[8] Snowflake. (2024, June 2). Detecting and Preventing Unauthorized User Access. https://community.snowflake.com/s/question/0D5VI00000Emyl00AB/detecting-and-preventing-unauthorized-user-access 

[9] Snowflake. (2024, June 3). Detecting and Preventing Unauthorized User Access: Instructions. https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information 

[10] Kevin Beaumont [@GossiTheDog@cyberplace.social]. (2024, June 1). Post. Mastodon. https://cyberplace.social/@GossiTheDog/112538298122679069 

[11] HackManac [@H4ckManac]. (2024, June 5). Post. X. https://x.com/H4ckManac/status/1798342651407663254 

[12] Kevin Beaumont [@GossiTheDog@cyberplace.social]. (2024, May 31). Post. Mastodon. https://cyberplace.social/@GossiTheDog/112536407633131499 

[13] Kevin Beaumont [@GossiTheDog@cyberplace.social]. (2024, June 3). Post. Mastodon. https://cyberplace.social/@GossiTheDog/112552067562285307 

[14] Mandiant – Google. (2024, February 23). A year in the cybersecurity trenches with Mandiant Managed Defense. https://cloud.google.com/blog/products/identity-security/a-year-in-the-cybersecurity-trenches-with-mandiant-managed-defense 

[15] Kaskersky. (2024, April 2). Data-stealing malware infections increased sevenfold since 2020, Kaspersky experts say. https://www.kaspersky.com/about/press-releases/2024_data-stealing-malware-infections-increased-sevenfold-since-2020-kaspersky-experts-say 

[16] CyberKnow. (2024, June 3). Navigating The TicketMaster Data Breach. https://cyberknow.substack.com/p/navigating-the-TicketMaster-data 

About the Author

KrakenLabs Threat Intelligence Team, Outpost24

KrakenLabs is Outpost24’s Cyber Threat Intelligence team. Our team helps businesses stay ahead of malicious actors in the ever-evolving threat landscape, helping you keep your assets and brand reputation safe. With a comprehensive threat hunting infrastructure, our Threat Intelligence solution covers a broad range of threats on the market to help your business detect and deter external threats.