Ticketmaster has been the victim of an ongoing extortion campaign following the discovery of compromised user accounts on its cloud service provider (CSP), Snowflake. The situation escalated quickly, with threat actors claiming responsibility for stealing millions of records from Ticketmaster and offering the personal information of its customers for sale on the dark web.
Since then, the threat actors have leaked over 35,000 print-at-home tickets for upcoming concerts and events in addition to over 150,000 ticket barcodes. Unlike typical data breaches, stolen ticket barcodes are immediately monetizable and could cause significant disruption at events if duplicates are used.
The true impact of these leaks is yet to be seen; however, it could result in continued reputational damage and consumer mistrust if upcoming events are affected. This unique situation demonstrates the immediate, real-world consequences cyberattacks can have beyond data privacy concerns.
Security researchers have reported that the threat actors compromised Ticketmaster’s Snowflake accounts using login credentials stolen via an information stealer malware. This attack is another unpleasant reminder that no organization is immune from cyber threats and highlights several cybersecurity issues organizations face, including the consequences of the growing cybercrime-as-a-service marketplace, limitations of the shared responsibility model, and the need for ‘secure by default’ principles.
Growing Cybercrime-as-a-Service Marketplace
Ticketmaster’s Snowflake credentials were stolen using Infostealers, a common Malware-as-a-Service (MaaS) tool, that specializes in gathering and exfiltrating sensitive data. The tool typically pulls users passwords from browsers’ 'saved passwords' store and then sends the credentials back to a central infrastructure. Those credentials are then collated, bundled together, and sold to the highest bidder on the Dark Web. It is likely that in Ticketmaster’s case, the threat actors simply hunted out stolen credentials for Snowflake, given the data-rich nature of its platform.
Many of the prolific cybercrime groups now operate ‘as-a-service' models, where they provide access to malicious software and related infrastructure for a fee like a standard outsourcing and flexible supply chain model. The ‘cybercrime-as-a-service' ecosystem can provide attackers with everything from pre-made malware, templates for phishing emails, payment processing systems, and even helplines to enable criminals to mount attacks with limited technical knowledge.
This model has increased in popularity over the last few years compared to more traditional models, lowering the barrier for entry for threat actors and enabling them to carry out attacks without having to develop their own tools.
In fact, our latest threat report found that Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) together represent the majority of malicious tools across the cyber threat landscape. The widening of this marketplace places greater opportunity on the side of threat actors who can help deliver just one piece needed within a broader malicious campaign, like a stolen credential. Even though ransomware isn't deployed, which is traditionally how threat actor groups make profit, threat actors can still make money by selling their access on to another threat actor. This development is likely to coincide with a pivot towards more sophisticated and advanced extortion methods, like we are seeing currently with the Ticketmaster extortion campaign.
Limitations of the Shared Responsibility Model
CSPs are of increasing interest to threat actors as they host large troves of data for a variety of different customers. Under the shared responsibility model that most CSPs operate on, certain practices, such as multi-factor authentication (MFA), are seen as the responsibility of the end-user. In this case, Ticketmaster’s Snowflake accounts did not have MFA enabled, allowing threat actors to gain access to accounts using only stolen credentials.
User resistance can often be a roadblock in setting mandatory MFA requirements. Some end-users view these practices as a barrier to innovation, as they may be cumbersome and time-consuming. If a user is only storing benign data, extra layers of security may seem unnecessary, but if a user is storing sensitive data, extra protections should be put in place.
Often, CSPs have no visibility into the sensitivity of the data, so they leave the decision up to the end-user to set security practices at the right level. Ultimately, the use of MFA is a risk management decision that's up to the end-user to decide. However, we are seeing industry wide push-back on this type of thinking, with an increasing emphasis on prioritizing adoption of ‘secure by design’ principles.
Prioritizing ‘Secure By Default’ Practices
The Ticketmaster breach is a stark reminder that if users can access your Software-as-a-Service (SaaS) environments with just a password, attackers can and will do the same. CSPs should encourage better security practices even without explicit requirements to do so under the shared responsibility model. User accounts should always be provided in a way that is secure by default.
When looking to encourage users to host their data on your platform, making standard security protections 'opt-out' rather than 'opt-in' sets the tone that your organization takes security seriously. In addition to MFA, account monitoring and notifications of suspicious behavior should be considered mandatory security practices for CSPs to provide. In essence, these practices become a differentiator when organizations are weighing up different cloud providers.
However, it is not only CSPs that can do more. Organizations utilizing cloud services must understand the unique risks that come with SaaS/Cloud usage and educate employees about the importance of MFA and other techniques.
What’s Next for Customers, Organizations, and CSPs
In the near term, affected Ticketmaster customers should follow Ticketmaster's official instructions, change passwords, and stay alert for any further communications as this situation continues to unfold.
More broadly, this incident underscores the need for robust cybersecurity strategies, especially for businesses handling instantly valuable data. CSPs should learn from this incident and may even be able to establish a differentiator with competitors by truly leaning into 'secure by default' principles and providing better account security, whether that be mandatory MFA or monitoring accounts for abnormal behavior.
Organizations utilizing cloud services must not only demand better from their providers but review their own cybersecurity practices. This incident raises a critical question for them to consider: if a user registered for a 3rd party SaaS service using their corporate email, would you know?
Ticketmaster is an organization that likely has a mature cybersecurity program, which leads me to believe that the use of Snowflake may have been an example of shadow IT or unauthorized use of Snowflake by an individual business unit. Despite the best of intentions, if the use of the platform was out of sight of the main cybersecurity function, its unmonitored use introduced significant business risk.
When security teams are unaware of an application being utilized, there is no way for them to monitor or protect it, underscoring the critical need for visibility across all applications, platforms and systems that users are engaging with. With that in mind, organizations should take proactive steps to ensure they have visibility across their organization's entire digital estate, as well as the ability to effectively monitor activity and detect and respond to any abnormal behavior in real time.
As the rise of as-a-service offensive tools continues to increase the speed, sophistication, and success of cybersecurity attacks, cybersecurity must be at the forefront of any businesses' technology strategy.
