A hacking group called ShinyHunters claims to have stolen the personal data of 560 million Ticketmaster customers, including names, addresses, phone numbers, and partial payment card details. Here's what happened and what you should do.
In late May 2024, a hacking group called ShinyHunters posted a listing on a dark web forum offering to sell what they described as 1.3 terabytes of data stolen from Ticketmaster and its parent company, Live Nation. The asking price: $500,000. The claimed haul: the personal information of 560 million customers.
It was, if the numbers held up, one of the largest data breaches in history — a single incident affecting roughly one in fifteen people on the entire planet. And for weeks, the company said almost nothing.
The breach didn't come through a frontal assault on Ticketmaster's own systems. Instead, attackers targeted a third-party cloud storage provider called Snowflake, which Ticketmaster used to store large volumes of customer data.
Snowflake is a cloud data platform used by thousands of companies worldwide to store and analyse massive datasets. What made the attack effective wasn't a sophisticated exploit of Snowflake's core infrastructure — it was something far more mundane. Investigators later determined that attackers gained access to Snowflake customer accounts using stolen login credentials. In most cases, those accounts weren't protected by multi-factor authentication, meaning a valid username and password was all that stood between the attackers and the data.
Cybersecurity firm Mandiant, which investigated the incident alongside Snowflake, identified at least 165 organizations whose Snowflake environments were accessed through this method. Ticketmaster was one of the most prominent victims, but it was far from the only one. Santander Bank, a major Spanish financial institution, also confirmed a separate breach of its Snowflake environment around the same time.
The stolen Ticketmaster data, according to ShinyHunters and later confirmed in broad strokes by Australian federal authorities and cybersecurity researchers who examined samples, included:
The payment card data did not include full card numbers — those are subject to strict regulations that require tokenisation or encryption — but the combination of other personal details was comprehensive enough to make affected customers highly vulnerable to targeted phishing attacks, social engineering, and identity fraud.
Live Nation, Ticketmaster's parent company, filed a disclosure with the US Securities and Exchange Commission on May 31, 2024 — the day after ShinyHunters had already listed the data for sale publicly. The filing was brief and cautious, stating only that the company had "identified unauthorized activity within a third-party cloud database environment" and was investigating.
The SEC disclosure was required under rules the commission had adopted in 2023 mandating that public companies report material cybersecurity incidents within four business days of determining they were significant. Live Nation's filing satisfied the letter of that requirement, but critics noted it came after the breach was already public knowledge, and contained little detail that would help affected customers understand their exposure.
In the weeks that followed, Live Nation sent notifications to affected customers in various jurisdictions — timing and substance varied significantly depending on local data breach notification laws. Australian customers, for example, were notified relatively promptly after Australian federal police confirmed they were assisting in the investigation. US customers faced longer waits.
ShinyHunters is a prolific cybercriminal group with a long history of large-scale data theft. The name is a reference to the Pokémon concept of "shiny" variants — rare, valuable versions of common creatures. The group's approach mirrors that metaphor: they hunt for rare, high-value datasets and then attempt to monetise them.
The group first came to public attention around 2020, when they were linked to breaches affecting companies including Microsoft's GitHub repositories, Tokopedia (Indonesia's largest e-commerce platform), Wattpad, and dozens of others. They operate primarily as data brokers — stealing information and then selling it to other criminals, rather than deploying it directly.
In 2022, a French national named Sébastien Raoult was arrested in Morocco and later extradited to the United States, where he pleaded guilty to conspiracy charges related to ShinyHunters activity. He was sentenced to three years in prison in 2024. But like most cybercriminal groups, ShinyHunters is not a single person — it's a loosely affiliated network, and Raoult's prosecution did not end the group's operations.
The Ticketmaster breach represented ShinyHunters operating at a scale they had arguably not reached before. Whether the group ultimately sold the data, used it themselves, or had other members arrested before they could is not fully clear as of this writing.
Understanding the Ticketmaster breach requires understanding why Snowflake mattered. Snowflake is not a niche product — it's a widely used enterprise cloud platform valued in the tens of billions of dollars, with customers ranging from healthcare companies to financial institutions to entertainment conglomerates. When companies like Ticketmaster generate enormous volumes of transaction and customer data, they often store it in platforms like Snowflake for analysis, reporting, and operational purposes.
The problem wasn't Snowflake's platform itself. Snowflake issued a statement emphasising that there was no vulnerability in their software and no breach of their own infrastructure. What happened was that individual customer accounts — belonging to Ticketmaster and other companies — were compromised through stolen credentials.
Investigators found that the credentials used to access the affected Snowflake accounts had in many cases been stolen by infostealer malware — malicious software designed to harvest saved passwords, browser cookies, and login details from infected computers. These credentials were then traded on criminal markets and eventually used by the Snowflake campaign attackers.
The attack highlighted a structural problem in how large organisations manage third-party cloud access. When you store customer data with a cloud provider, the security of that data depends not just on the provider's own security but on how well your organisation manages the credentials used to access it. If those credentials end up on a criminal market, and there's no multi-factor authentication requirement to catch the intrusion, the data is effectively unprotected.
The partial payment card details in the Ticketmaster breach are worth explaining carefully, because there's often confusion about what "partial" means and how dangerous it actually is.
Full payment card numbers — the sixteen-digit number on the front of your card — are subject to Payment Card Industry (PCI) standards that require merchants and processors to either encrypt them beyond practical recovery or not store them at all. Ticketmaster, like most large ticketing platforms, uses tokenisation: your card number is replaced by a meaningless token in their systems, with the actual number held by a payment processor. So the breach almost certainly did not include full card numbers.
What it did include — hashed card numbers, last four digits, and expiration dates — is more limited in direct financial fraud potential, since you generally can't make card purchases with just those details. However, combined with full name, address, email, phone number, and purchase history, the data creates a rich profile that's extremely useful for targeted fraud.
Consider what a criminal could do with this information. They know your name, your address, your email, your phone number, and the fact that you attended a Taylor Swift concert in Los Angeles in August 2023. They can send you a convincing phishing email pretending to be Ticketmaster, referencing specific details from your actual booking history to appear legitimate, and direct you to a fake login page to harvest your real credentials. This is called spear-phishing, and it's far more effective than generic fraud attempts because the personal details make it credible.
The same information can be used for account takeover attacks — attempting to reset your email or bank password by answering security questions that your stolen data makes answerable. Or for identity theft, where someone uses your personal details to open new credit accounts in your name.
If you've ever purchased tickets through Ticketmaster or any Live Nation property, you should assume your data was included in this breach.
Change your Ticketmaster password immediately — and if you've used that same password anywhere else, change it there too. Password reuse is one of the primary ways stolen credentials cause cascading damage. If your Ticketmaster password is the same as your email password or your banking password, a criminal who gets the former now has a key to the latter.
Enable multi-factor authentication on your Ticketmaster account if you haven't already. The additional layer means that even if someone has your password, they still need access to your phone or authentication app to log in.
Be suspicious of any email or text message referencing your Ticketmaster account or purchase history, particularly if it contains a link and asks you to log in, verify something, or confirm payment details. Legitimate companies will not ask you to re-enter your payment card details via an email link.
Monitor your credit reports for any accounts or inquiries you didn't initiate. In the United States, you're entitled to free weekly credit reports from all three major bureaus at AnnualCreditReport.com. Consider placing a credit freeze — a step we cover in detail elsewhere on this site — which prevents new credit being opened in your name without your explicit authorisation.
Consider signing up for identity monitoring that alerts you if your personal information appears in new breach databases or on dark web markets. Several services, including those offered by major password managers and standalone tools like HaveIBeenPwned, offer this functionality.
The Ticketmaster breach is, in many ways, a case study in how modern data breaches happen — not through spectacular zero-day exploits of major platforms, but through the quieter failure of credential hygiene and third-party access management. It's a pattern we've seen repeatedly. As we noted in our coverage of the 23andMe breach, the biggest danger often isn't the breach itself but the cascading consequences when that data ends up combined with other stolen information.
The Ticketmaster breach exposed something that cybersecurity professionals have been warning about for years: the security of your data is only as strong as the weakest link in the chain of companies that hold it.
You trust Ticketmaster with your information when you buy tickets. But Ticketmaster trusts Snowflake with that data for storage and analysis. And if Snowflake's customer — Ticketmaster — doesn't properly secure the credentials used to access that environment, your data is exposed through no failure on Snowflake's part and no direct attack on Ticketmaster's primary systems.
This is the invisible ecosystem of your personal data. When you create an account with any major online service, your information typically flows through multiple third-party providers for analytics, customer service tools, cloud storage, fraud detection, payment processing, and more. Each of those relationships is a potential exposure point.
The Ticketmaster case prompted some change: Snowflake subsequently made multi-factor authentication requirements more prominent for enterprise customers. Live Nation faced multiple class-action lawsuits and regulatory inquiries. Australian authorities launched a criminal investigation. But for the 560 million people whose data was already in criminal hands, those changes came too late.
The practical lesson is one of minimal trust: provide companies with only the personal information they strictly need, use unique strong passwords for every account, enable multi-factor authentication wherever it's available, and regularly check whether your data has been exposed through tools like HaveIBeenPwned.
The age of the megabreach is not passing. If anything, the concentration of personal data in cloud platforms used by thousands of companies simultaneously makes large-scale incidents more likely, not less. Ticketmaster won't be the last.
References:
AT&T confirmed in March 2024 that a dataset containing the personal information of approximately 73 million current and former customers had been leaked online. The data included Social Security numbers, account passcodes, and personal details. Here's what happened and what you should do.
A Chinese state-sponsored hacking group called Volt Typhoon has spent years quietly burrowing into US power grids, water systems, ports, and telecommunications networks — not to steal data, but to position themselves to cause chaos if a conflict over Taiwan ever begins.
Genetic testing company 23andMe confirmed that hackers accessed the personal data of 6.9 million users. Your DNA wasn't stolen, but your ancestry data, family connections, and personal details may have been. Here's what you need to know.
