A Ticketmaster leak indexed by leaksear.ch contains 928,546 customer order records tied to the May 20, 2024 Snowflake-related breach, including contact details, masked payment-card data, and event, venue, and ticket metadata (leaksear.ch metadata). Live Nation said it identified unauthorized activity in a third-party cloud database environment primarily containing Ticketmaster data on May 20, 2024, and said a criminal threat actor offered alleged company user data for sale on May 27 (investors.livenationentertainment.com).
What happened
Live Nation, Ticketmaster's parent company, disclosed in a May 31, 2024 SEC filing that it had launched an investigation after finding unauthorized activity in a third-party cloud database environment containing company data, primarily from Ticketmaster. Ticketmaster's incident page describes the impacted system as an isolated cloud database hosted by a third-party data services provider, says Ticketmaster accounts remained secure, and says some customers who bought tickets to events in North America were being notified (investors.livenationentertainment.com, help.ticketmaster.com).
Public reporting tied Ticketmaster to the broader Snowflake customer data-theft campaign. BleepingComputer reported that ShinyHunters advertised alleged Live Nation/Ticketmaster data for 560 million users and that samples it reviewed included names, email addresses, phone numbers, addresses, hashed credit card details, and payment amounts. Mandiant, reporting on the broader UNC5537 campaign, said the actor used stolen customer credentials to access Snowflake customer instances, found no evidence that access stemmed from a breach of Snowflake's enterprise environment, and said about 165 potentially exposed organizations were notified (www.bleepingcomputer.com, cloud.google.com).
The 560 million figure is a claim from the public extortion listing and reporting, not the scale of this leaksear.ch index. This article uses 928,546 records as the leak scale because that is the supplied indexing metadata for the dataset covered here (leaksear.ch metadata).
What data was exposed
The leaksear.ch index lists searchable contact and account pivots: name, email address, phone number, postal address, country, IP address, and username (leaksear.ch metadata).
Additional stored fields show customer order and ticket context, including street and postal address components, phone numbers, browser or session identifiers, sales order IDs, platform and delivery codes, event names and start times, venue names and addresses, seat and section details, ticket face value, ticket barcode fields, fraud and AVS indicators, and payment-card metadata such as card type, expiration date, last four digits, and masked card value (leaksear.ch metadata). No full payment-card number or CVV field is listed in the supplied metadata (leaksear.ch metadata).
Why this matters
The risk is not limited to payment-card fraud. Contact data combined with real event, venue, order, and seating details can support convincing phishing, fake support calls, refund scams, and account-recovery attempts (leaksear.ch metadata). Ticketmaster itself warned affected users to monitor bank accounts and be cautious of unsolicited emails or requests for personal information over the phone (help.ticketmaster.com). Individuals who bought tickets through Ticketmaster should use the exposure check on this page to see whether their data appears in this leak.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, ip address, name, phone, and username.