Speculation mounts over how Ticketmaster hackers stole half a billion customer records

Ticketmaster logo pictured on a laptop screen with Live Nation logo on a smartphone screen in foreground.
(Image credit: Getty Images)

Threat actors have claimed to have stolen a database containing sensitive information related to over 560 million Ticketmaster customers. 

The ShinyHunters threat collective, acting as a proxy for the group behind the attack, have listed the 1.3TB database for sale on its newly reopened BreachForums, for a one-time sale of $500,000.

The database contains sensitive information linked to half a billion Ticketmaster users, including their full names, addresses, email addresses, phone numbers, ticket sales and event details, order information, and partial payment card data.

This partial payment data comprises the last four digits of users’ credit card numbers, and expiry dates.

The data stolen in the breach appears to go back as far as 2011, according to cyber crime monitor vx-underground, who claimed to have received a sample of the data from the threat group.

Within this “absurdly large” sample, some of the transaction data was found to be from March 2024, illustrating the breadth of the information stolen in the breach, but vx-underground noted it could not verify the authenticity of the financial information included in the leak.

ITPro has approached Ticketmaster for comment.

Ticketmaster breach marks the grand reopening of BreachForums

The ShinyHunters threat collective made headlines on 20 May 2024 after the FBI seized BreachForums for a second time. The group were instrumental in helping community member Baphomet resurrect the popular underground forum.

The latest takedown by the FBI went further than previous operations, seizing the forum’s Telegram channel, usually used to coordinate the community’s response to takedowns, as well as the Baphomet’s personal channels and the forum’s clearnet sites.

Despite this, the operation did not incur a particularly significant blow to the wider cybercrime industry, with new marketplaces such as BreachNation springing up mere hours after the seizure.

Security experts told ITPro there were also indications ShinyHunters was working on developing their own forum. 


Adversaries aren’t breaking in, they’re logging in

(Image credit: Crowdstrike)

Identify potential breach attempts

This proved to be correct, and it looks like ShinyHunters wanted to inaugurate the opening of their new forum with a high-profile breach in an attempt to generate interest in the new platform.

The administrators behind these marketplaces can use the success of services like BreachForums to boost their standing within the industry and generate significant income from transactions brokered on the platform.

By being able to reclaim the seized domain and resurrect BreachForums so quickly after it was taken down, ShinyHunters has demonstrated its technical expertise and the extent of the challenge facing law enforcement agencies trying to tackle to cybercrime industry.

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.