Is Ticketmaster’s 2024 Mega-Breach Now on the Cyber-Crime Resale Rack?
A look at why Arkana’s June 2025 Ticketmaster listing is almost certainly a re-sale of ShinyHunters’ record-shattering 2024 breach-and what that means for 560 million fans.
On 6 June 2025 the comparatively new ransomware crew Arkana added Ticketmaster to its Tor-hosted “shop.” The post, archived by threat-tracker Ransomware.live, touts a 1.3 TB bundle of CSV and tar.gz files-including familiar paths such as patron_lookup/ and sales_ord_event_pmt/-and pitches a “quick sale (1 buyer)”.
If that rings a bell, it should: these paths match the cache that ShinyHunters tried to sell back in May 2024 after infiltrating Ticketmaster’s Snowflake environment.
ShinyHunters asked US $500,000 for what it claimed were records on roughly 560 million customers.
Flash-back: the 2024 ShinyHunters breach - one of 2024's biggest
| Date (2024) | Milestone |
|---|---|
| 20 May | Live Nation (Ticketmaster’s parent) detects “unauthorised activity” in a Snowflake-hosted database. |
| 27 May | ShinyHunters advertises the 1.3 TB trove on BreachForums. |
| 31 May - 1 Jun | Global coverage brands it one of the largest consumer-data breaches ever (≈ 560 million records). |
| June → July | Live Nation files an 8-K with the SEC; regulators in the US, UK and Australia open investigations. |
What personal data is in the Ticketmaster dump?
Multiple sources- the original ShinyHunters sale ad, class-action filings, and analysts who inspected sample rows-agree the cache is rich, traditional PII plus granular purchase metadata.
Here’s what appears to be exposed (not every field for every customer, but all present in the 1.3 TB bundle):
| Data category | Example fields | Where it lives in the dump |
|---|---|---|
| Identity | Full name, email address, phone number, physical/billing address | patron_lookup/ CSVs and “PAT RON_CCPA_… extracts |
| Purchase history | Event name, venue, date, seat row/number, ticket price, delivery method | sales_ord_event_pmt/, sales_ord_deluxe_hdr/ |
| Payment details (partial) | Last 4 digits of card, expiration date, card-type token | sales_ord_tran/ & payment_card_token/ tables |
| Fraud / charge-back notes | Accertify case IDs, resolution codes, charge-back amounts | ACCERTIFY_FRAUD_RESOLUTIONS.csv.xz |
| Demographics | Age-band, gender, city/state/country, marketing segments | TM_PARTY_DEMOGRAPHICS.csv.xz |
| Account metadata | Account creation date, hashed password*, marketing-opt-in flags | Mixed across lookup files |
*Analysts have not published hash samples, so password format (bcrypt, SHA-1, etc.) remains unverified.
Resale or new raid? Three smoking guns
| Clue | 2024 ShinyHunters dump | 2025 Arkana listing | Why it matters |
|---|---|---|---|
| Bundle size | 1.3 TB | 1.3 TB | Exact match is unlikely by chance. |
| Folder & file names | patron_lookup/, sales_ord_event_pmt/, PATRON_CCPA_BMHILL_202404141150.csv.xz |
Identical names visible in Arkana screenshot | Timestamps still read 20240414. |
| Sales pitch | “One buyer only” | “quick sale 1 buyer” | Re-used copy is a classic flip-job tell. |
Bottom line: Assuming the data is legit, Arkana almost certainly bought-or stole-a copy of ShinyHunters’ unsold archive and is re-listing it, rather than breaching Ticketmaster again.
Who is Arkana?
- First spotted: March 2025, tied to a handful of US and European victims.
- Infrastructure: minimal Tor leak site; no proprietary locker binary identified.
- Analyst verdict: data-broker first, ransomware crew second-resale builds quick street-cred.
Why recycled data still matters
- Fresh phishing waves - attackers sync campaigns to renewed headlines.
- Credential stuffing - many fans still reuse passwords set before 2024.
- Regulatory headaches - authorities may demand new notices when data re-surfaces.
What customers should do (again)
- Enable multi-factor authentication on Ticketmaster and email accounts.
- Rotate any reused passwords.
- Stay alert for themed scams (e.g. “Ticket upgrade required”).
- Claim free credit-monitoring if Ticketmaster contacts you.
The bigger trend: the rise of the “data pawn-shop”
Flipping abandoned or bargain-bin archives is turning into a micro-industry.
For defenders, a breach’s shelf-life no longer ends with the first forum post; it can boomerang under a new logo months-or years-later. Expect Arkana to drop “proof-of-life” samples or release the full haul if no private buyer bites. Either outcome keeps regulators-and 560 million customers-watching.
