Stolen Ticketmaster Data Briefly Resurfaces for Sale
▼ Summary
– The Arkana Security group listed Ticketmaster data for sale, but it was confirmed to be from the 2024 Snowflake data theft attacks, not a new breach.
– The data matches samples from the Snowflake attacks, and the post referenced “RapeFlake,” a tool used to exfiltrate Snowflake database data.
– The Snowflake attacks targeted multiple organizations, including Ticketmaster, using stolen credentials to extort victims, with ShinyHunters claiming responsibility.
– Arkana’s listing was removed by June 9, and it remains unclear if they were reselling old data or collaborating with ShinyHunters.
– ShinyHunters has been linked to numerous breaches, including a recent Salesforce campaign, though arrests raise questions about the group’s current identity.
A recent listing of stolen Ticketmaster data briefly appeared for sale over the weekend, sparking concerns about a potential new breach. However, cybersecurity experts quickly identified the files as recycled from the massive Snowflake data theft earlier this year.
The extortion group Arkana Security advertised 569 GB of Ticketmaster data, complete with screenshots suggesting fresh stolen information. Closer examination revealed these files matched samples from the 2024 Snowflake attacks, where hackers exploited compromised credentials to access corporate databases. One image even referenced “RapeFlake,” a custom tool developed by threat actors to extract data from Snowflake systems.
This isn’t the first time Ticketmaster has faced fallout from the Snowflake incident. The company confirmed in May that attackers had stolen sensitive customer and ticketing details, later attempting to sell the data online. Hackers escalated their extortion tactics by leaking what they claimed were print-at-home tickets, including some allegedly tied to Taylor Swift concerts.
While Arkana didn’t disclose the data’s origin, the Snowflake references and matching filenames strongly suggest they were repackaging old leaks. It remains unclear whether the group acquired the data independently, collaborated with the original hackers, or simply rebranded existing material. By June 9, the listing had vanished from Arkana’s site.
The Snowflake breaches impacted major corporations like Santander, AT&T, and Neiman Marcus, with the hacking collective ShinyHunters taking credit. Known for high-profile cyberattacks, ShinyHunters were also linked to the PowerSchool breach, exposing records of millions of students and teachers globally. Recent reports tie them to a Salesforce account hijacking campaign, further highlighting their persistent threat to corporate data security.
Despite multiple arrests of individuals connected to ShinyHunters, their operations continue—raising questions about whether current activity stems from the original group or imposters capitalizing on their notoriety. Neither Arkana nor Ticketmaster responded to requests for comment regarding the latest listing.
As cybercriminals increasingly recycle stolen data, organizations must prioritize multi-layered security measures, particularly for cloud-based platforms like Snowflake. The repeated resurfacing of old breaches underscores the long-term risks of compromised credentials and the need for continuous monitoring to detect unauthorized access.
(Source: BLEEPING COMPUTER)
