Sensitive Data of 17.6 Million Ticketek Customer Accounts Added to HIBP

• Australian company Ticketek suffered a massive data breach via a third-party cloud service platform on May 31.
• The hacker selling the data boasted some 30 million customers on a cybercriminal forum.
• Have I Been Pwned announced adding 17.6 million Ticketek customer emails to its database.

Australia-based live events and ticketing company TEG (Ticketek Entertainment Group) reported a data breach on May 31, which resulted in a hacker selling what they boasted were sensitive details of 30 million customer accounts. Breach notification service Have I Been Pwned verified and added 17,643,173 compromised accounts to its database on June 28.

A cybercriminal known as Sp1d3r posted samples of the Ticketek customer data hack on a hacker forum, claiming the information included full names, genders, dates of birth, usernames, email addresses, and hashed passwords, as well as customer IDs and other internal details – but no credit card information, as transactions are handled by a separate payment system.

The company confirmed that names, dates of birth, and email addresses from its customer database may have been affected but declared customer accounts were not compromised. The data trove analyzed by HIBP contained almost 30 million rows with 17.6 million unique email addresses as well as names, genders, dates of birth, and hashed passwords.

The Australian company said the cyberattack impacted customers’ data stored via a yet unnamed third-party cloud-based platform. It is suspected to be linked to a series of breaches of the Snowflake cloud storage service, even though TEG refused to comment on this topic. 

The same cybercriminal was also selling an alleged 3TB of data trove from automotive aftermarket parts provider Advance Auto Parts obtained from a breach of the company's Snowflake account, but only 79 million were later added to HIBP. The recent Neiman Marcus breach is also believed to be linked to this threat actor and Snowflake.

Incident response firm Mandiant said approximately 165 companies using Snowflake environments may have had their data stolen via leaked credentials of Snowflake customer accounts without multi-factor authentication (MFA), which were obtained from info-stealer malware.

Sp1d3r was also selling data allegedly belonging to Cylance customers, partners, and employees for $750,000, including 34 million customer, prospect, and employee emails.