Credential theft
Ticketmaster / Live Nation data breach via Snowflake (UNC5537 / ShinyHunters)
Primary Source βIncident Details
UNC5537 (ShinyHunters / Scattered Spider affiliates) used infostealer-harvested credentials to authenticate to Ticketmaster’s Snowflake tenant which had no MFA configured. ShinyHunters listed 560 million customer records (1.3 TB) for sale on BreachForums for $500,000. Data included names, addresses, phone numbers, partial credit card details, and event ticket barcodes. Part of a broader Snowflake campaign hitting ~165 organisations. Arrests made: Connor Riley Moucka arrested in Canada on 30 Oct 2024.
Technical Details
- Initial Attack Vector
- CWE-307: Improper Restriction of Excessive Authentication Attempts (stolen credentials from infostealer malware reused against Snowflake tenant with no MFA)
- Vendor / Product
- Snowflake cloud data platform
- Malware Family
- VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, METASTEALER (infostealers used to harvest credentials)
Timeline
- 2024-04-14 Breach occurred
- 2024-05-20 Publicly disclosed
- 2024-06-01 Customers notified