A prominent hacker is trying to sell 30 million users’ worth of data allegedly stolen from Australia-based events and ticketing company TEG, the owner of Ticketek.
Late last month, ticketing company Ticketek announced a cyber incident impacting Australian account holder information.
At the time, the company did not disclose how many of its users were impacted, however Minister for Cyber Security Clare O’Neil described the breach as “potentially affecting many Australians”.
Now, a purported TEG data leak has appeared on a popular cyber crime forum – with a well-known hacker claiming to have stolen names, genders, dates of birth, email addresses, usernames and hashed passwords from up to 30 million TEG users.
While the post doesn’t clarify whether the alleged leak comes from TEG itself or one of its subsidiaries, technology and security company HackManac said “it is believed that the exfiltrated data comes from Ticketek”.
“A probable Snowflake-related data breach targeting TEG has been detected,” wrote HackManac.
“The confirmation or denial of these claims has yet to be verified.”
Posted by prominent threat actor ‘Sp1d3r’, the forum listing includes an alleged sample of data for more than 200 individuals – showing both personal data and apparent TEG account data fields such as “CustomerID” and “CreatedDate”.
According to TechCrunch, attempting to register a Ticketek account using some of the allegedly leaked email addresses often results in a website error, suggesting some of the data may be legitimate and already in use on the platform.
Any criminals trying to break into a Ticketek account by purchasing the data would need to somehow de-hash its allegedly stolen passwords, however, successfully doing so could yield further sensitive information such as home addresses, ticket order history and limited payment card details.
If stolen, these details could then be used to enable further attacks such as personalised phishing scams, while victims who have re-used their account password elsewhere could be at risk of credential stuffing attacks.
TEG did not respond when asked by Information Age whether it has reached out to all impacted customers.
The company also neglected to comment on whether the sample of purportedly stolen data is legitimate or if it has been contacted for a ransom.
Sp1d3r is aiming to sell the alleged data leak for $45,000 ($US30,000).
All threads lead to Snowflake
In a statement earlier this month, Ticketek admitted its security incident was related to a cloud-based platform hosted by a “reputable, global third-party supplier”, though it did not disclose which supplier this was.
Meanwhile, similar data breaches at the likes of banking firm Santander and fellow ticketing giant Ticketmaster have raised suspicions that the Ticketek breach may be linked to Snowflake, a third-party cloud storage firm which is making headlines for an ongoing threat campaign against its users.
Snowflake – which services nearly 10,000 customers including big-name brands Adobe, HP and Mastercard – suggested its users with single-factor authentication rather than multi-factor authentication are being increasingly targeted.
Furthermore, ongoing investigations have found many of the attacks stem from stolen customer credentials, most of which were obtained through separate malware campaigns, and some of which were pinched years ago.
Both the Australian Cyber Security Centre and Google-owned security firm Mandiant are actively tracking the issue, with the latter having already notified some 165 potentially exposed organisations.
TechCrunch has meanwhile discovered hundreds of alleged Snowflake customer credentials available on an online criminal platform.
Furthermore, Sp1d3r has posted two more companies whose data it claims is related to Snowflake, and last week claimed to have leaked one million customer records for suspected Snowflake victim Ticketmaster.
“Ticketmaster will not respond to request to buy data from us," wrote Sp1d3r.
“They care not for the privacy of 680 million customers, so give you the first one million users free.”
TEG did not confirm to Information Age whether the Ticketek breach stems from Snowflake's unfolding threat campaign.