What Happened
On May 20, 2024, Live Nation Entertainment confirmed that its subsidiary Ticketmaster had suffered a data breach affecting approximately 560 million customers. The threat group ShinyHunters listed the stolen database, 1.3 terabytes of data, for sale on BreachForums for $500,000. The breach was part of the broader Snowflake customer data theft campaign that affected over 165 organizations.
How It Happened
The Ticketmaster breach occurred through unauthorized access to the company’s Snowflake cloud data environment. Attackers used credentials stolen by infostealer malware to access Ticketmaster’s Snowflake account. The account did not have MFA enabled. Attackers exfiltrated 1.3 TB of customer data using Snowflake’s native data export capabilities. ShinyHunters listed the data for sale on May 28, 2024.
Exposed Data
The breach exposed full customer names, email addresses, phone numbers, physical billing and shipping addresses, partial payment card data including last four digits, card type, and expiration dates, ticket purchase history with event details, and Ticketmaster account information.
Timeline
Live Nation detected unauthorized activity in their Snowflake environment on May 20, 2024. The company filed an SEC Form 8-K disclosing the incident on May 27. ShinyHunters listed 560 million records for $500,000 on BreachForums on May 28. Australian authorities and the FBI investigated in June 2024. Ticketmaster began notifying affected customers in July 2024. Arrests of individuals linked to the broader Snowflake campaign occurred in November 2024.
Context
The Ticketmaster breach was the first major public disclosure from the Snowflake campaign and drew significant media attention for several reasons. The massive scale made it one of the largest consumer breaches of 2024 with 560 million records. Live Nation was already under antitrust scrutiny, as the DOJ had filed a lawsuit against them weeks earlier, increasing public attention. ShinyHunters publicly listed the data on BreachForums, generating widespread media coverage before Live Nation’s official disclosure. The breach demonstrated that entertainment and ticketing platforms hold enormous volumes of consumer data that make them high-value targets.
Impact
Multiple class-action lawsuits were filed against Live Nation and Ticketmaster. Regulatory investigations proceeded in the US, Australia, and UK. Ticketmaster offered affected customers one year of free identity monitoring. The breach contributed to Snowflake’s decision to implement mandatory MFA for new accounts.
Key Lessons
Cloud data platforms holding hundreds of millions of consumer records require the highest level of access security, including MFA, IP allowlisting, and monitoring. Entertainment and ticketing platforms are high-value targets due to the volume of consumer and payment data they store. SEC disclosure timelines are accelerating, as Live Nation filed within a week of detection. Third-party platform security is a shared responsibility that cannot be delegated entirely to the platform provider.