Live Nation Entertainment, also known as Ticketmaster, has submitted an official Form 8-K with the U.S. Securities and Exchange Commission (SEC), acknowledging and confirming that the recently rumored data breach is real.

In the filing (which can be seen here), Ticketmaster says that on May 20, 2024, Live Nation Entertainment, Inc. discovered unauthorized activity within a third-party cloud database environment that contained company data, primarily from its Ticketmaster L.L.C. subsidiary. The company immediately launched an investigation with the help of leading forensic experts to understand the extent and nature of the breach.

On May 27, 2024, a criminal actor claimed to have company user data for sale on the dark web. Live Nation is actively working to mitigate the risk to its users and the company. They have notified and are cooperating with law enforcement agencies. Additionally, they are informing regulatory authorities and affected users about unauthorized access to personal information.

The company says they continue to assess the risks and are working on remediation efforts.

What happened? A timeline.

Starting May 29th, when a group called ShinyHunters published the initial data for sale on dark web forums, numerous key events were associated with this breach. As such, here is a complete timeline of the events as they happened:

May 27, 2024 — A dark web user with no previous breach reputation published a forum post saying they have 560 million Ticketmaster user data for sale: name, address, email, phone numbers, order details, etc.

— A dark web user with no previous breach reputation published a forum post saying they have 560 million Ticketmaster user data for sale: name, address, email, phone numbers, order details, etc. May 29, 2024 — The dark web threat group ShinyHunters reposted the sale of this data themselves on BreachForums, which gave this story immediate credibility. ShinyHunters has a history of high-level data breaches. Following this, major news media immediately picked up the story and began publishing articles saying Ticketmaster had been hacked.

— The dark web threat group ShinyHunters reposted the sale of this data themselves on BreachForums, which gave this story immediate credibility. ShinyHunters has a history of high-level data breaches. Following this, major news media immediately picked up the story and began publishing articles saying Ticketmaster had been hacked. May 30, 2024 — A reputable cybersecurity group called vx-underground was given sample data from the Ticketmaster breach. They said, “Based on data provided to us by the Threat Group responsible for the compromise, we can assert with a high degree of confidence that the data is legitimate.”

— A reputable cybersecurity group called vx-underground was given sample data from the Ticketmaster breach. They said, “Based on data provided to us by the Threat Group responsible for the compromise, we can assert with a high degree of confidence that the data is legitimate.” May 31, 2024 — The BBC published a news article saying that Santander, a major financial organization, had been breached, and all customer data was offered for sale: the price was $2 million. At the time, there was no connection between this story and Ticketmaster’s. Until…

— The BBC published a news article saying that Santander, a major financial organization, had been breached, and all customer data was offered for sale: the price was $2 million. At the time, there was no connection between this story and Ticketmaster’s. Until… May 31, 2024 — The security research group at Hudson Rock publishes a story about a conversation with the threat actor responsible for the Ticketmaster and Santander breaches. According to the perpetrator, these breaches were made possible by breaching Snowflake, a cloud provider of data solutions. Both Santander and Live Nation are Snowflake customers.

— The security research group at Hudson Rock publishes a story about a conversation with the threat actor responsible for the Ticketmaster and Santander breaches. According to the perpetrator, these breaches were made possible by breaching Snowflake, a cloud provider of data solutions. Both Santander and Live Nation are Snowflake customers. May 31, 2024 — Snowflake published a security bulletin acknowledging the breach. They don’t acknowledge the exact method of breach implied by the perpetrator, but they don’t deny it either. What matters here is that there is a connection with everything that happened before.

— Snowflake published a security bulletin acknowledging the breach. They don’t acknowledge the exact method of breach implied by the perpetrator, but they don’t deny it either. What matters here is that there is a connection with everything that happened before. May 31, 2024 — The Securities and Exchange Commission (SEC) publishes the Live Nation filing disclosing the Ticketmaster breach. Details are very sparse at this time, and we should expect more updates in the coming days or weeks.

According to the Hudson Rock story with the perpetrator, he had initially wanted to get $20 million from Snowflake to never publish the data, neither from Ticketmaster or Santander nor the other 400 companies he alleges he had access to.

To put it bluntly, a single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting 400 companies are impacted. The goal of the threat actor, as in most cases, was to blackmail Snowflake into buying their own data back for $20,000,000. Hudson Rock

There have been no new developments or data leaks as of this publication. As a reminder, the perpetrator of this data breach is looking to get $500,000 for the entire Ticketmaster database and $2,000,000 for the entire Santander database.