The Ticketmaster data breach: what happened and how to safeguard your data in the aftermath

In May 2024, Ticketmaster experienced a significant data breach that exposed the personal information of 560 million users. A hacker group ShinyHunters claimed responsibility, allegedly accessing the data through a third-party cloud storage provider and putting it up for sale on the dark web. This and similar incidents uncover hidden threats associated with third-party service providers and underscore the importance for companies across all industries to have robust cybersecurity measures. 

Let’s delve into the Ticketmaster breach to explore how it happened, how to recognize if your account was affected, and what you can do to protect yourself after a breach of this kind. 

What happened in the Ticketmaster data breach?

Details of the Ticketmaster breach were revealed after the hackers claimed they stole 1.3TB of user data and, as reported by media, demanded a ransom of $500,000. The hackers presumably accessed user information via a cloud storage account on Snowflake.  

Ticketmaster notified its customers about the incident via email. The company also stated that it is cooperating with the U.S. federal law enforcement authorities to probe the breach.

Who are the alleged hackers?

ShinyHunters claimed credit for the Ticketmaster hack. This international black-hat criminal hacker group was founded in 2020 and has been a prolific source of data breaches over the years, including Microsoft, AT&T Wireless, Wattpad and others. ShinyHunters is sometimes also known as ShinyCorp.

How many users were affected?

There is a certain discrepancy in the figures, which can be explained by the uncertainty surrounding the true scope of the breach.

The alleged hackers claimed that the breach affected 560 million Ticketmaster customers who purchased tickets for events in Canada, Mexico, and the United States.

In contrast, Ticketmaster stated that the data breach was limited in scope. This is supported by the notice posted by the Maine attorney general’s office where the total number of users affected amounted to less than 1,000.

Which data was compromised?

Moreover, Ticketmaster disputed the types of data involved in the breach. According to the company, limited personal information, such as phone numbers or email addresses, and encrypted credit card data as well as “some other personal information provided” to them were exposed. The hacker group stated they acquired the following as part of the Ticketmaster data breach. 

• Full contact details
• Credit card details
• Purchased event details

How did the hackers gain access?

The Ticketmaster hack may have been perpetuated using a chain of techniques described below to target a Snowflake account for access, even though Snowflake denied any platform vulnerabilities that could cause the breach. It is likely that hackers gained access to credentials through malware or phishing, were able to actually use them due to single-factor authentication protocols, and were not caught immediately since the access looked legitimate.

Credential stuffing and phishing attacks

Credential stuffing is a common type of brute-force attack, and it’s usually used in combination with phishing attacks. Phishing involves sending emails that look like they’re from a real company so people turn over their personal information, login credentials, or other useful pieces. Credential stuffing then uses the information from phishing to guess combinations for the site the hackers want to access.

Exploiting weak security measures

Unfortunately, many people reuse login emails, passwords, or a combination of the two since remembering multiple passwords is inconvenient. Additionally, two-factor authentication is often optional, which can make it easier to access accounts without anyone noticing. In the Ticketmaster breach, weak security measures played a part.

Third-party vendor vulnerabilities

While the primary company may enforce strict security measures for employees and customers, a third-party vendor may not maintain the same standards. This fact introduces vulnerabilities that bad actors can exploit to get in, such as how ShinyHunters did with the Snowflake accounts they hacked.

History of Ticketmaster security incidents

Unfortunately, 2024 was not the first Ticketmaster data breach. Here’s a timeline of significant  instances where Ticketmaster security came into question:​

1. June 2018: A breach affected 40,000 UK customers due to malicious software installed on a third-party customer support product and used to steal Ticketmaster customers’  login information, payment data, addresses, names, emails and phone numbers. ​
2. April 2 – May 18, 2024: This Ticketmaster hack and the focus of this article is allegedly one of the largest data breaches in history, hitting those who used Ticketmaster in the US, Canada, and Mexico.
3. October 2024: Customers reported unauthorized transfers of expensive concert tickets from their accounts. Some of these tickets appeared on resale platforms like StubHub. ​

Is Ticketmaster safe for users after the incident?

The answer to “is Ticketmaster safe to use” is generally yes, though data breaches can occur at any point and any company can be targeted.

While no online platform can guarantee absolute security, Ticketmaster has implemented measures to enhance user safety following the 2024 data breach. The company conducted a forensic analysis and updated its security protocols to prevent future incidents. However, it’s crucial for users to adjust settings they have control over. More specifically, if possible, you should update your password and enable Ticketmaster 2FA before using your account.

What to do if your Ticketmaster account gets hacked

Steps to recover your account

Ticketmaster stated that account access was not affected by the breach. However, using the “Forgot Password”  feature to have a reset link sent is an option. Once the password has been reset to a strong password, you can check your account for any unauthorized activity or remove any unfamiliar payment methods.

How to check if your data was leaked

Ticketmaster contacted the affected customers via email or first-class mail. They also set up a breach notification page at the time, though that has since been removed.
If you didn’t receive a breach notification but you’re are still unsure if you were affected, you can see if your data was exposed using a dark web monitoring tool like HaveIBeenPwned. 

Contacting Ticketmaster support

You may also want to go to Ticketmaster Help and submit a request under the “Account Security” category. List your registered email, a brief description of the breach that happened, and any suspicious order numbers if available. Ticketmaster support usually responds within 24-48 hours, so keep an eye on your email and follow up, if needed.

How to protect your data after a breach like Ticketmaster’s

Enable Two-Factor Authentication (2FA)

Enabling Ticketmaster 2FA helps immediately neutralize the risks associated with compromised passwords. Even if your password was hacked, guessed, or phished, that won’t be enough for an intruder to gain access. Ticketmaster 2FA may be a code on your phone, biometric data, hardware tokens, or answering a push notification on a secondary device. 

Use strong, unique passwords

Using strong, unique passwords is a solid choice for every account, not just those affected by the Ticketmaster hack. A strong password uses a mix of uppercase letters, lowercase letters, numbers, and special characters that exceeds twelve characters. Unique simply means not using the same password on multiple sites. 

Monitor your financial statements 

Monitoring bank accounts, credit cards, loans, credit bureau reports, and other financial accounts is a good routine practice to identify any suspicious activity in a timely manner. You can do this yourself on a regular basis or hire a service to do this for you. In the case of the Ticketmaster data breach, customers had 90 days from notification to sign up for a year of identity monitoring.

Safeguard your personal information

Whether or not you’ve been affected by a data breach, your personal details, such as your name, address, phone number, or email, may be accessible online and potentially misused by malicious actors. Identifying where your information is exposed and taking steps to remove it from publicly accessible websites can significantly reduce your risk.

FAQs

How can I check if my Ticketmaster data was breached?

Ticketmaster emailed or mailed you a notice about the breach. You can start by checking for it at the addresses associated with your Ticketmaster account. If you are unsure, you can also contact support.

What should I do if my Ticketmaster account got hacked?

The first thing to do is reset your password to a strong, unique option and enable Ticketmaster 2FA. If this is not possible, you should contact Ticketmaster support and freeze any saved cards on your potentially hacked account.

Does Ticketmaster offer compensation for hacked accounts?

Currently, there is no compensation available for the Ticketmaster hack, though legal actions are in progress. Ticketmaster offered twelve months of identity monitoring services to those it believes are affected by the breach.