Executive Summary

On May 20, 2024, Live Nation discovered and disclosed an unauthorized activity in its third-party cloud database environment, which was eventually identified to be Snowflake, in its SEC filing. The database contains information regarding the company, primarily from its Ticketmaster subsidiary. Following this filing and in the following days, analysts discovered multiple clients of Snowflake have had data posted on the Dark Web for sale. On May 23, a threat actor “Whitewarlock” posted Santander Group data for sale. On May 27, 2024, the threat actor “ShinyHunters” offered the Live Nation/Ticketmaster data of 560M users for $500k USD in the Dark Web. According to various reports, the breach occurred via stolen credentials of a Snowflake employee’s ServiceNow account through the Lumma Stealer campaign last October 2023. In the most recent response of Snowflake on June 2, 2024, they have released Indicators of Compromise (IOC) and recommended actions to assist in the investigation of Snowflake customer accounts.