Cybercrime , Fraud Management & Cybercrime

Stolen Ticketmaster Data Advertised on Rebooted BreachForums

ShinyHunters Fronting for Threat Group That Allegedly Infiltrated AWS Instances
Stolen Ticketmaster Data Advertised on Rebooted BreachForums
BreachForums is back, again. (Image: Shutterstock)

A massive quantity of data allegedly stolen from venue ticket intermediary Ticketmaster is being offered for sale on the recently rebooted BreachForums data leak marketplace.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

The listing, posted by administrator ShinyHunters, putatively offers for "one time sale" 1.3 terabytes of data comprising 560 million customers' full names, email addresses, telephone numbers, hashed payment card numbers, card expiration dates and a complete history of financial transactions on the site.

Researchers who reviewed samples of the data being offered for sale say it appears to be legitimate and includes transactions dating from at least March 10 of this year, stretching back to 2011 or possibly even the mid-2000s.

"Sometime in April an unidentified threat group was able to get access to Ticketmaster AWS instances by pivoting from a managed service provider," the malware research group vx-underground, which was able to review an "absurdly large" sample of the stolen data shared by the attacker, said in a post on the social media platform X.

While ShinyHunters - or someone now using that handle, which is the name of the prolific cybercrime group that shepherded the previous instance of BreachForums - is advertising the stolen data, an unidentified threat group claimed credit for infiltrating the AWS instances and exfiltrating the data, vx-underground said.

"Based on data provided to us by the threat group responsible for the compromise, we can assert with a high degree of confidence the data is legitimate," vx-underground said, with some caveats. "The data provided to us, even as a 'sample', was absurdly large and made it difficult to review in depth. We are unable to verify the authenticity of financial information."

The alleged Ticketmaster breach comes at a difficult time for owner Live Nation Entertainment. Last week, the U.S. Department of Justice filed an antitrust lawsuit against it.

BreachForums' Mid-May Disruption

The tranche of stolen data is an advertisement for the latest incarnation of BreachForums - formerly also known or referenced as BreachedForums, Breach Forums and Breached - which keeps coming back to life, albeit sometimes tied to different domain names.

Across its various iterations, the cybercrime site has been used by ransomware groups and other criminals to "buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases and other illegal services," the FBI said.

Two weeks ago, an international law enforcement operation disrupted BreachForums, administered by Baphomet. Both the clearnet and darknet versions of the site resolved to a seizure notice stating BreachForums is "under the control of the FBI," alongside logos for law enforcement agencies from New Zealand, Australia, the United Kingdom, Germany, Iceland and Ukraine (see: FBI Seizes Criminal Site BreachForums).

"They also took control over various Telegram channels belonging to both Baphomet and BreachForums owners ShinyHunters," reported threat intelligence firm Flashpoint. "Law enforcement has not shared any additional details surrounding the seizure. This has led to several rumors being circulated within the threat actor community, with ShinyHunters claiming that Baphomet had been arrested by the FBI."

Following the takedown of BreachForums earlier this month, the FBI launched a dedicated page asking for victims of BreachForums or its predecessors to come forward and assist its active investigation.

Subsequently, BreachForums "reincarnated" and reappeared under one of its seized domain names, and a post from ShinyHunters announced that the "original team" was still involved. ShinyHunters promised to reinstate any rank a user had on the previous version.

The bureau appears to be engaged in a tug of war over at least one of the domains it seized, using a U.S. court order. BreachForums posted a letter purportedly sent by an FBI computer scientist to domain registrar Nice.nic, based in Hong Kong, seeking to regain control of one of the BreachForums domains seized by the FBI.

"A few hours after the seizure of the domains, around May 15th at 9PM PST, we noticed that the breachforums.st domain was released from our custody and given back to the original threat actor," the letter says. "We also noticed that we were unable to log into our official FBI account at NiceNic, which was registered with the email breachforums@fbi.gov (username: bf_fbi), leading us to believe that the account was suspended."

ShinyHunters confirmed that it had regained control of the domain. "We decided the best course of action would be to ask NiceNIC for the domains back and very unexpectedly they complied," it said in a Thursday post to BreachedForums, adding that the very next thing it did was transfer the domain to a different provider.

"Moving forward: Save the .onion URL. Obviously, clearnet domains aren't going to last forever," ShinyHunters said. "We're working on getting everything back up and running. We'll keep everyone posted as we restore our infrastructure."

BreachForums' Many Incarnations

Prior to the reboot, BreachForums - hosted at breachforums.st/.cx/.is/.vc - was run by the ShinyHunters data theft gang as a clearnet and darknet marketplace.

Before that, another version of BreachForums - hosted at breached.vc/.to/.co - was run by Conor Brian Fitzpatrick, aka Pompompurin, and offered similar services. After he launched the site in March 2022, its popularity surged, and its membership grew from 1,500 to 192,000 members, Flashpoint said.

That version of the site ran until March 2023, when U.S. law enforcement arrested Fitzpatrick, then 20 years old. In January, a judge sentenced him to 20 years of supervised release and banned him from using the internet for one year (see: BreachForums Admin Avoids Prison Term).

Fitzpatrick launched BreachForums as a replacement for RaidForums - hosted at raidforums.com and run by Omnipotent - which ran from early 2015 until February 2022.

In January 2022, British police arrested RaidForums' alleged founder or co-founder, Diogo Santos Coelho, a Portuguese national. Coelho, now 24, faces a six-count U.S. indictment that includes fraud and identity theft charges. Both the U.S. and Portugal have filed extradition requests with the U.K., which Coelho continues to fight.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.