HACKED DATA FOR SALE?: An entity called ShinyHunters is shopping Ticketmaster customer data on the dark web. (Getty Images)

Data of 560M customers reported for sale on dark web

A week after being targeted in a U.S. Department of Justice lawsuit, Ticketmaster has been struck by an alleged hack that has apparently compromised the personal and credit card data of some 560 million of the dominant ticketing company’s customers.

According to CyberDaily.au, the data is for sale on a web hacking forum, and an entity calling itself ShinyHunters claims to have gigabytes of data in a number of files, all allegedly for sale for $500,000.

Ticketmaster customers are being advised to change their passwords.

The hack appears to be authentic as ShinyHunters has shared samples of the data, which includes customer names, addresses, and emails, credit card numbers and other personally identifiable details.

Just days ago, Australia’s Home Affairs Department, which confirmed the hack to news organizations, was accused in an audit of  being ill-prepared for rising cyber threats and not fostering collaboration with other branches of the Australian government.

According to Cyber Daily, the data breach claim was first posted on May 28, and then again in another post, this one of Russian origin, on another site, by a second hacker. It’s unclear if they are related.

Ticketmaster did not immediately respond to a request for comment or confirm the alleged data breach.

“The National Office of Cyber Security is engaging with Ticketmaster to understand the incident,” the Australia Home Affairs Department said in a statement.

The United States Embassy in Canberra said the FBI has offered assistance to its Australian counterparts.

ShinyHunters came to prominence in 2020 and 2021 with breaches of, among others, AT&T Wireless, PlutoTV, Microsoft and a number of educational apps and game apps targeted at children.

In January, French programmer Sébastien Raoult, who has ties to the group, was sentenced to three years in prison and ordered to pay $5 million by a federal court in Washington state.

The targeting of live events and related companies was presaged by panelists discussing cybersecurity at the 2023 VenuesNow Conference in Palm Springs, some of whom said specific attention should be paid to securing networks and data. The collection of massive amounts of customer data presents opportunities for operators, but with inherent risks.

(Editor’s note: this story has been updated.)