Live Nation confirms Ticketmaster was hacked, says personal information stolen in data breach

Entertainment giant Live Nation has confirmed its ticketing subsidiary Ticketmaster has been hacked.

Live Nation confirmed the data breach in a filing with government regulators late on Friday after the markets closed.

In its statement, Live Nation said the breach occurred on May 20, and that a cybercriminal "offered what it alleged to be Company user data for sale via the dark web." The company did not say who the personal information belongs to, though it's believed to relate to customers. It's unclear why it took the company more than a week to publicly disclose the breach.

Live Nation said in its statement that it "identified unauthorized activity within a third-party cloud database environment containing Company data."

The company did not name the third-party cloud database in its statement.

A spokesperson for Ticketmaster, who would not provide their name but responded from the company's media email address, told TechCrunch that its stolen database was hosted on Snowflake, a cloud storage and analytics company.

Ticketmaster's spokesperson did not say how the data was exfiltrated from Snowflake's systems.

Snowflake said in a post on Friday that it had informed a "limited number of customers who we believe may have been impacted" by attacks "targeting some of our customers’ accounts." Snowflake did not describe the nature of the attacks, or if data had been stolen from customer accounts.

Snowflake spokesperson Danica Stanczak declined to comment on the record about Ticketmaster's breach.

Amazon Web Services also hosts much of Live Nation and Ticketmaster's infrastructure, according to a since-removed customer case study on Amazon's website.

Live Nation's communications chief Kaitlyn Henrich also would not comment on the record or answer questions about the breach.

Earlier this week, the administrator of a since-revived popular cybercrime forum called BreachForums claimed to be selling the personal information of 560 million customers, including the alleged personal information of Ticketmaster customers, along with ticket sales and customer card information.

Until now, Live Nation had not commented on the data breach. Earlier this week, Australian authorities confirmed it was assisting Live Nation with a cybersecurity incident, and U.S. cybersecurity agency CISA deferred comment to Live Nation.

TechCrunch on Friday obtained a portion of the allegedly stolen data containing thousands of records, including email addresses. This included several internal Ticketmaster email addresses used for testing, which are not public but appear as real Ticketmaster accounts. TechCrunch verified on Friday that the records we checked belong to Ticketmaster customers.

TechCrunch checked the validity of these accounts by running the internal email addresses through Ticketmaster's sign-up form. All of the accounts came back as real. (Ticketmaster displays an error if someone enters an email address that is already a real Ticketmaster account.)

Earlier in May, the Department of Justice and 30 attorneys general sued Live Nation to break up the ticketing conglomerate, accusing Live Nation of monopolistic practices.

Updated with response from Ticketmaster, and Snowflake's decline.

Do you know more about the Live Nation TicketMaster breach? Get in touch. To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.