Cybercrime group ShinyHunters is claiming it has grabbed data from more than half a billion Ticketmaster customers. It has posted screen captures supporting this claim, but there is little in those captures that explicitly establishes a new attack on Ticketmaster or its parent company, LiveNation.
Ticketmaster has yet to publicly say anything about the alleged breach.
ShinyHunters is offering the database for $500,000.
The database contains full names, addresses, email addresses, phone numbers, ticket sales and event details, order information, and payment card data including the cardholder name, expiry date, and last four digits of the card number, according to a screenshot of the posting captured by HackRead.
Speculation abounds
Cybersecurity officials and threat hunters online and in interviews with CSO have speculated about possible attack vectors in this case, but none have cited any evidence to positively say that that is how the attack was executed.
For example, one cybersecurity specialist who used to work with Ticketmaster systems and has therefore asked to not be identified, said that she suspects it was Ticketmasters’s legacy systems that were the means of entry.
“This is a company that has a lot of legacy infrastructure. It is what makes Ticketmaster possible. But that comes with a lot of legacy risk,” she said. “Old software and old hardware and old policies and procedures, that all introduces a lot of additional risk.”
Britton White, who publicly says that he works in cyberthreat intelligence for an unidentified private sector firm, posted on LinkedIn that a Ticketmaster software partner, EPAM, had an employee account breached where the attacker took over remote control of the victim’s system.
That attack method, White said in an interview, allows the attacker to avoid multi-factor authentication defenses and bypass two-factor authentication, “stealing the session tokens and cookies. With that level of access, these organizations just won’t know that they have been breached.”
However, he said that he couldn’t prove that that was the means of attack in this case.
Matt Harrigan, a VP at Leviathan Security, said that it was not clear whether the payment card data supposedly stolen would be sufficient to allow for fraudulent transactions.
Appropriate precautions
“You can’t buy a Ferrari with the last four digits of a payment card,” Harrigan said, adding that it appeared Ticketmaster had taken the appropriate precautions to protect cardholder data.
But Harrigan added that the varied nature of the data that was claimed to be accessed suggests something troubling, namely that the attackers had accessed “a centralized database of all activity, a transaction log of everything that has happened.”
Harrigan also said that he suspects the attack vector was likely leveraging web application security holes.
Dwayne McDaniel, a developer advocate at GitGuardian, had his own suspicions about the attack vector.
“Given what we know about the ShinyHunters threat group who are taking credit, there is a good chance this was caused by a hardcoded plaintext credential, as they love GitHub OAuth tokens, or previously leaked credentials for Office365 accounts that have never been rotated,” McDaniel said. “No matter what common attack path they took, it is likely a more common or automated secrets rotation policy would have better kept Ticketmaster’s customers safe.”
Josh Amishav, the CEO at Breachsense, pointed to one of the frustrations law enforcement faces when hunting down this level of attacker.
“The threat actor shared a tiny sample on BreachForums which, despite being taken down by law enforcement, is now back up,” Amishav said.
Some others noted the relatively low price of $500,000, given the massive size of the data allegedly stolen.
“Given the scale of the Ticketmaster breach, with ShinyHunters selling 560 million customer records for $500,000, the cost per record is alarmingly low,” said Ivan Novikov, the CEO of Wallarm.