A hacker is advertising customer data allegedly stolen from Australian ticketing and live events company TEG on a well-known hacking forum.
On Thursday, a hacker put data allegedly stolen from TEG up for sale, claiming to have information on 30 million users, including full name, gender, date of birth, username, hashed passwords and email addresses.
At the end of May, ticketing company Ticketek, owned by TEG revealed a data breach affecting Australian customer data, “which is stored on a cloud-based platform, hosted by a reputable, global third-party provider.”
The company said that “no Ticketek customer accounts have been compromised,” thanks to the encryption methods used to store their passwords. TEG admitted, however, that “customer names, dates of birth and email addresses may have been affected”, data that would coincide with those announced on the hacking forum.
The hacker included a sample of the allegedly stolen data in his post. TechCrunch confirmed that at least some of the data posted on the forum appears legitimate when attempting to sign up for new accounts using the posted email addresses. In several cases, the Ticketek website gave an error, suggesting that email addresses are already in use.
When contacted by email, a TEG spokesperson had no comment as of press time.
On its official site, Ticketek says the company “sells more than 23 million tickets to more than 20,000 events each year.”
While Ticketek did not name the “cloud-based platform, hosted by a global and reputable third-party provider,” there is evidence to suggest it could be Snowflake, which has been at the center of a recent series of data breaches affecting to several of its clients, including Ticketmaster, Banco Santander and others.
A now-deleted post on the Snowflake website January 2023 was titled: “TEG Personalizes Live Entertainment Experiences with Snowflake.” In 2022, the consulting firm Altis published a case study detailing how the company, in collaboration with TEG, “built a modern data platform to ingest streaming data into Snowflake.”
Contact Us
Do you have more information about this incident or other Snowflake-related breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email. You can also contact TechCrunch through SecureDrop.
When contacted for comment on the Ticketek breach, Snowflake spokesperson Danica Stanczak did not respond to our specific questions and instead referred to the company's public statement. In it, Snowflake's chief information security officer, Brad Jones, said the company has “identified no evidence to suggest that this activity was caused by a vulnerability, misconfiguration, or breach of the Snowflake platform.”
Snowflake's spokesperson declined to confirm or deny whether TEG or Ticketek are Snowflake customers.
Snowflake provides companies around the world with services that help their customers store data in the cloud. Google-owned cybersecurity company Mandiant said earlier this month that cybercriminals have stolen a “significant volume of data” from several Snowflake customers. Mandiant is working with Snowflake to investigate the data breach and revealed in a blog post that the two companies notified around 165 Snowflake customers.
Snowflake has blamed its customers for the hacking campaign for not using multi-factor authentication, which allowed hackers to use passwords “previously purchased or obtained through data-stealing malware.”