Compromised Ticketmaster Data from Snowflake Breach Reemerges on Dark Web Marketplace

The Arkana Security group recently listed what appeared to be newly stolen Ticketmaster data for sale, but it has been identified as data acquired during the 2024 Snowflake data theft incidents.

This extortion group published screenshots displaying over 569 GB of Ticketmaster data, prompting concerns regarding a potential new breach.

Analysis reveals that the files presented in the Arkana post correspond with samples of Ticketmaster data previously associated with the 2024 Snowflake breaches.

One of the images contained the phrase “rapeflaked copy 4 quick sale 1 buyer,” referencing a tool known as “RapeFlake.” This tool, devised by the threat actors, was employed for reconnaissance and the exfiltration of data from Snowflake’s databases.

The Snowflake attacks targeted several organizations, including Santander, Ticketmaster, AT&T, Advance Auto Parts, Neiman Marcus, Los Angeles Unified, Pure Storage, and Cylance. An extortion group known as ShinyHunters claimed responsibility for these operations.

These intrusions were facilitated through compromised Snowflake credentials acquired via infostealers, which were utilized to download sensitive corporate data for extortion purposes.

Ticketmaster was significantly victimized in the Snowflake attack, resulting in the theft of personal and ticketing information. Following the initial data leak, Ticketmaster confirmed the breach in late May and began notifying impacted customers.

In the aftermath of the data leak, the threat actors escalated their extortion attempts by releasing what they purported to be print-at-home tickets, including tickets for high-demand events.

While Arkana has not disclosed the source of the data, its references to Snowflake and file names aligning with previously leaked information suggest that the group is attempting to re-sell outdated stolen data.

The circumstances surrounding whether Arkana acquired this data, whether the group comprises actors familiar with it, or if they are collaborating with ShinyHunters remain unclear.

As of June 9, the listing for the Ticketmaster data had been removed from Arkana Security’s data leak platform.

The alias “ShinyHunters” is associated with numerous high-profile breaches, including a notable incident involving PowerSchool, which resulted in the theft of data concerning 62.4 million students and 9.5 million teachers across multiple school districts in the United States and Canada.

More recently, Mandiant has linked ShinyHunters to campaigns targeting Salesforce accounts, where attackers compromised accounts to extract customer data for extortion purposes.

With several individuals tied to ShinyHunters arrested in recent years, it is uncertain if the current activity is connected to the original group or if it involves other threat actors misrepresenting themselves to evade law enforcement detection.

Inquiries were made to Arkana and Ticketmaster regarding the listing; however, no responses were received.