back to article Miscreants claim they've snatched 560M people's info from Ticketmaster

Ticketmaster is believed to have had its IT breached by cybercriminals who claim to have stolen 1.3TB of data on 560 million of the corporation's customers – and are now selling all that info for $500,000. On Wednesday, Australia's Department of Home Affairs told The Register that government, at least, is "aware of a cyber …

  1. Yorick Hunt Silver badge
    Devil

    (In Michael Palin's voice as Ken) "Revenge!"

    Australa's own Shovel hit the nail on the head;

    "Ticketmaster Hacker Demands $500K Ransom (Plus $300K Ransom Processing Fee, $220K Ransom Handling Fee)"

    1. Korev Silver badge
      Pint

      Re: (In Michael Palin's voice as Ken) "Revenge!"

      Fantastic -->

    2. MachDiamond Silver badge

      Re: (In Michael Palin's voice as Ken) "Revenge!"

      Wow, they left out the "convenience fee" and the "delivery fee".

  2. fitzpat

    Cyber? Really? Is it still the 90s?

    1. Dan 55 Silver badge

      You can tell it's not the 90s any more because nobody says information superhighway now.

      1. David 132 Silver badge
        Happy

        Wait, what am I supposed to web-surf on now then??

    2. seven of five
      Coat

      "Cyber" now is "caiber" - with AI

      sorry. A bit.

      1. Calum Morrison

        I still fear multimedia attacks.

  3. Dr Who

    To regain credibility, Ticketmaster should be transparent about the breach, its impact, and the steps to prevent future incidents ...

    Whoa! Just saw some pigs fly past my window.

    The British Library have set the gold standard in actually doing this with their recent and catastrophic breach. https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf

  4. Mike 137 Silver badge

    "the last four digits of the cards plus names and expiration dates"

    That means the last three digits of the (at least seven digit) account number and the checksum digit. So even supposing that the card issuer could be identified or inferred, it's still relatively hard to make fraudulent use of that information in the presence of adequate fraud monitoring. On the other hand one of my cards was compromised from South America a few years back, apparently by pure numeric trial and error against the PAN on card not present transactions, but the bank did pick them up quite swiftly. However, the entire card number system is a somewhat fragile legacy of pre-internet slow computer days, and should ideally be revised.

    1. sitta_europea Silver badge

      Re: "the last four digits of the cards plus names and expiration dates"

      "That means the last three digits of the (at least seven digit) account number and the checksum digit. ..."

      Which effectively means four of the (at least) seven digits, which starts to look a little weak at only a thousand combinations to try.

      The four dollar padlock on my hundred dollar bicycle has more combinations than that.

      1. Anonymous Coward
        Anonymous Coward

        Re: "the last four digits of the cards plus names and expiration dates"

        And on the bicycle lock, you're limited to one try per second, if you're especially quick.

      2. Mike 137 Silver badge

        Re: "the last four digits of the cards plus names and expiration dates"

        "Which effectively means four of the (at least) seven digits, which starts to look a little weak at only a thousand combinations to try"

        They also have to try against all the card issuer codes (some of which expect different account number lengths), so brute force will leave a pretty wide fraud alert footprint if banks are paying attention. However I did state that a I'd fallen victim to a brute force attack in the past, so yes, it can be done.

    2. parrot

      Re: "the last four digits of the cards plus names and expiration dates"

      I stopped saving card details in websites for convenience a couple of years ago, even though some sites make it tedious and annoying (talking to you, ParentPay). I no longer trust any online retailer to be secure enough not to leak something at some point. Perhaps it was naive I ever did.

      1. Fred Daggy Silver badge
        Big Brother

        Being paraniod isn't enough.

        I think you're assuming that the provider wasn't recording the javascript entry of digits and has the card anyway. Or read it from a cache in the browser.

        Theoretically impossible due to PCI. But, PCI is inadequate. Disposable cards are the only short term answer (and longer CC numbers with a more complex checkdigit algorithm).

  5. werdsmith Silver badge

    the long-term impact to Ticketmaster's reputation and customer trust could be "profound,"

    TicketMaster don't have much of a reputation anyway. It's like getting dirt on a turd.

    1. John Brown (no body) Silver badge

      And likewise, no matter their reputation or extortion "fee add-ons" tactics, they are so ubiquitous and often the only seller of tickets for an event, the punters have no choice but to use them anyway.

  6. werdsmith Silver badge
  7. This post has been deleted by its author

  8. Plest Silver badge
    Pint

    Given how "TicketBastard" has been fleecing music fans for years I don't think I'd shed a tear if they went under. I feel for people who's details are once more out there being traded for pennies, that's a shitty state of affairs but if it brought down TM I'd throw a party.

    1. Andy the ex-Brit
      Pint

      I'm in! How do I get tickets to the party?

  9. ThereBePirates
    Mushroom

    Can we just GDPR and data breach fine them into oblivion and then it'll be better for any gig/concert goers.

  10. sitta_europea Silver badge

    "ShinyHunters told DataBreaches ... the biz never opened the message nor responded to it."

    Never opened the message?

    Assuming their message was an email, how did they know?

    If you know anything about email, you know that if the recipient knows what it's doing, it's impossible to know whether or not an email has been read.

    Or even displayed on a screen, or printed.

    Or even received.

    If the criminals didn't know this, it would make the fact that the dimwits managed to compromise their victim even more alarming than it already is.

  11. chivo243 Silver badge
    Meh

    Old info

    It's been a looong time since I've used Ticket Blaster, my info could be close to the oldest poofed, and the address where I live now is in another country, and the credit card is from a bank I've not done business with in quite some time...

  12. Swedish Chef

    Mandatory password reset

    I just tried to log into my account and got asked to reset my password. Is this really something they do regularly as they claim?

    > It’s Time to Update Your Password

    > To keep your account safe and secure, we periodically ask fans to reset their password, preferably to a new password that you haven’t already used with this account. Let’s Reset Password

    Either way, my supply of sympathy in this particular case appears to be very limited for some reason.

    1. MachDiamond Silver badge

      Re: Mandatory password reset

      " Mandatory password reset

      I just tried to log into my account and got asked to reset my password. Is this really something they do regularly as they claim?"

      I've never seen any sense in this sort of thing. The only time it would make sense is if some entity was trying passwords against my account and I change it to something they've already tried. I believe that I already have a solid approach to the passwords I use so changing them causes more problems for me than any protection I might gain. For people that just use one password for everything, they aren't going to change.

  13. Anonymous Coward
    Anonymous Coward

    Don’t store your CC details on websites

    Convenient: yes for you (and the hackers)

    Faster: yes (for you and the hackers)

    Now, if unstored CC details have been leaked, we have a much bigger issue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like