A hacker is advertising customer data allegedly stolen from Australia-based live events and ticketing company TEG on a well-known hacking forum.
On Thursday, a hacker put the allegedly stolen data from TEG up for sale, claiming to have 30 million users’ information, including full name, gender, date of birth, username, hashed passwords and email addresses.
In late May, TEG-owned ticketing company Ticketek disclosed a data breach affecting Australian customer data, “which is stored on a cloud-based platform hosted by a trusted, global third-party vendor”.
The company said that “no Ticketek customer account has been compromised,” thanks to the encryption methods used to store their passwords. TEG admitted, however, that “customer names, dates of birth and email addresses may have been affected” — data that would line up with what was advertised on the hacking forum.
The hacker included a sample of the allegedly stolen data in his post. TechCrunch has confirmed that at least some of the data posted on the forum appears legitimate by attempting to sign up for new accounts using the posted email addresses. In some cases, the Ticketek website displayed an error indicating that the email addresses were already in use.
When reached by email, a TEG representative did not comment by press time.
On its official website, Ticketek says the company “sells over 23 million tickets to more than 20,000 events each year.”
While Ticketek did not name the “cloud-based platform, hosted by a trusted, global third-party vendor,” there is evidence to suggest it could be Snowflake, which has been at the center of a recent spate of data thefts affecting several from customers including Ticketmaster, Santander Bank and others.
A now deleted post on Snowflake’s website as of January 2023 it was titled: “TEG Personalises Live Entertainment Experiences with Snowflake”. In 2022 the consulting firm Altis published a case study detailing how the company, in partnership with TEG, “built a modern data platform to ingest streaming data into Snowflake.”
Contact us
Do you have more information about this incident or other Snowflake-related breaches? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
When asked for comment on the Ticketek breach, Snowflake spokeswoman Danica Stanczak did not respond to our specific questions and instead referred to the company’s public statement. In it, Snowflake chief information security officer Brad Jones said the company has “identified no evidence to suggest that this activity was caused by a vulnerability, misconfiguration, or breach of the Snowflake platform.”
Snowflake’s spokesperson declined to confirm or deny whether TEG or Ticketek is a Snowflake customer.
Snowflake provides companies around the world with services that help their customers store data in the cloud. Google-owned cybersecurity firm Mandiant said earlier this month that cybercriminals had stolen a “significant amount of data” from several Snowflake customers. Mandiant is working with Snowflake to investigate the data breach and revealed in a blog post that the two companies have notified about 165 Snowflake customers.
Snowflake blamed the hacking campaign on its customers not using multi-factor authentication, which allowed hackers to use passwords “previously purchased or obtained through information-stealing malware.”
