Hackers leak alleged Taylor Swift tickets, amp up Ticketmaster extortion

Update: Ticketmaster statement added below.

Hackers have leaked what they claim is Ticketmaster barcode data for 166,000 Taylor Swift Eras Tour tickets, warning that more events would be leaked if a $2 million extortion demand is not paid.

In May, a well-known threat actor named ShinyHunters began selling data on 560 million Ticketmaster customers for $500,000.

Ticketmaster later confirmed the data breach, which they ultimately stated was from their account on Snowflake, a cloud-based data warehousing company used by the enterprise to store databases, process data, and perform analytics.

In April, threat actors began downloading Snowflake databases of at least 165 organizations using credentials stolen by information-stealing malware.

The threat actors then blackmailed the companies, demanding payment to prevent the data from being leaked or sold to other threat actors. Companies confirmed to have had data stolen from their Snowflake accounts include Neiman Marcus, Los Angeles Unified School District, Advance Auto Parts, Pure Storage, and Satander.

Taylor Swift tickets leaked

Today, a threat actor known as Sp1d3rHunters has leaked what they claim is the ticket data for 166,000 Taylor Swift Eras Tour barcodes used to gain entry on various concert dates.

Sp1d3rHunters, previously named Sp1d3r, is the threat actor behind the sale of data stolen from Snowflake accounts, publicly extorting the various companies for payments.

"Pay us $2million USD or we leak all 680M of your users information and 30million more event barcodes including: more Taylor Swift events, P!nk, Sting, Sporting events F1 Formula Racing, MLB, NFL and thousands more events," reads the extortion demand first shared by threat intel service HackManac.

The post claims the barcode data is for upcoming Taylor Swift concerts in Miami, New Orleans, and Indianapolis.

The post includes a small sample of the alleged barcode data, which contains the value used to create a scannable barcode, seat information, the face value of tickets, and other information. The threat actor further shared details on how to turn this data into a scannable barcode.

While the barcode data was not part of the initial leak of stolen Ticketmaster data samples released by the threat actors in May, some of the newly leaked data can be found in the older leaks, including the hashed credit card and sales order information for the tickets.

The group behind these attacks is ShinyHunters, which has been responsible for many data breaches over the years. These include leaking the data for 386 million user records from 18 companies in 2020, an AT&T breach impacting 70 million customers, and, most recently, the leaking of 33 million phone numbers used with the Authy multi-factor authentication app.

Update 7/5/24 3:44 PM ET: Ticketmaster told BleepingComputer that unique barcodes are updated every few seconds, so the stolen tickets cannot be used.

"Ticketmaster's SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied," Ticketmaster told BleepingComputer.

"This is just one of many fraud protections we implement to keep tickets safe and secure."

Ticketmaster also confirmed that they did not engage in any ransom negotiations with the threat actors, disputing ShinyHunter's claims that they were offered $1 million to delete the data.

---