Corporations really are amazing. They are, simultaneously, in a superposition of getting away with crimes because they don't exist, and providing goods and services and benefitting shareholders because they do. Remarkable.
I understand the sentiment but while big companies can break the law with impunity you certainly can't. Companies can ignore IP law and any other law they want and they will very likely profit from it, even if they manage to get caught and earn a tiny slap on the wrist. If you on the other hand break even a minor infraction the state will throw the book at you with everything they have, your criminal record will mean that you will struggle to get work and housing, and you can lose everything.
Then they disrespect IP laws on even bigger scale and use all of your code/text/images to train generative tools they sell for money. Can't stick it to them...
They were accessing a system via internal endpoints not released to the public. They were also using stolen credentials a former employee of songbird brought over to ticketmaster, and accessed devices using stolen credentials. If that isn't "hacking" then the word has lost all meaning.
No they don't. Rules for companies and individuals are different in this country, unless you possess some secret to getting away with potentially ruining the lives of 1.5 times the population of the United States with the financial equivalent of a slap on the wrist.
I feel sad saying this: I don't think it's right, but I worry less and less about these as time goes on; Not because I don't think it sucks, but because my information has been in so many breaches up to this point that I'm not sure what value there is left in any data that might appear in subsequent breaches.
Whenever HIBP sends me a notice I just think "oh well, add it to the pile". By this point I just assume any info I share with any company WILL be leaked eventually. Which is why I'd like to see an equivalent of the GDPR in the US, because companies won't do the right thing (collect the minimum necessary) unless they're legally forced to.
My favorite is when a credit bureau like Experian leaks your info and offers free monitoring as compensation - but you have to give them your info again to get the free monitoring.
> Based on data provided to us by the Threat Group responsible for the compromise, we can assert with a high degree of confidence the data is legitimate. Date ranges in the database appear to go as far back as 2011. However, some dates show information from the mid-2000's.
> NOTE: The data provided to us, even as a 'sample', was absurdly large and made it difficult to review in depth. We are unable to verify the authenticity of financial information. Briefly skimming the PII present in the dump, it appears authentic.
SEC registrants are required to make a disclosure within 4 business days once a cybersecurity incident is deemed by the company to be material to a reasonable investor.
PS. I just wanted to note, this is by the same outfit also responsible for the Santander break. (Both, apparently, due to a successful breach of an upstream storage provider).-
There's not much press going on for this breach yet. I've never heard of Hudson Rock until I read their report about Snowflake today. Only reputable outlet I've seen make an article yet is BleepingComputer.
The intent of GP's comment is to imply the hack is a Snowflake hack that happens to compromise Ticketmaster data. If this was a compromise of a Ticketmaster account that managed their data at Snowflake, Snowflake would have been downstream of the original compromise.
This is a far more scary claim than OP's article, because that means there could be many more compromised customers out there that don't know it yet. It's a bit chilling, knowing some friends might be in deep shit.
On one hand, yes, there's a certain amount of schadenfreude here, because I have on multiple occasions been more or less annoyed by Ticketmaster. On the other hand, because I've used them quite a lot (because for many events, what other choice is there?), I can't say I'm terribly happy that my personal information has been so thoroughly exposed via this hack. And I'm more than a bit frustrated that Ticketmaster/Live Nation have been so careless and sloppy with their security - and employee training and vetting - to allow this to happen.
Boy I sure am glad that Ticketmaster refused to let me change my email address some months back when I was trying to clean up my profile and change the registered address from my_handle@gmail.com to my_handle+ticketmaster@gmail.com.
The actual relevant question is: how many of you make a point of disallowing this? You have to go out of your way to make that not work, given that + is a valid character in email addresses.
Well, you have to go out of your way to prevent it. The sub-addressing complexity is on the email provider side; ticketmaster doesn't have to do anything for it to work except not reject valid email addresses.
In my experience, most but not all sites will accept "+" email addresses.
At my current employer we do allow this. It's handy for testing and not a big deal if we have users doing this to make multiple accounts (they don't gain anything by doing that). But at a previous job it was a bigger deal and we'd strip off the sub-address part because we were trying to match up email addresses across client sites (this was due to a bit of a shady thing the company was doing and part of the reason why I left).
I’m intrigued how it would have made a difference, wouldn’t it be extremely trivial to “clean up” the dataset by just doing a regex and removing all the “+*”. Or are scammers that lazy? Maybe I’m missing something?
It's just an edge case you'd have to devote brainpower and resources to. It may not be a big commitment, but if it only nets you an additional 0.25% valid email addresses or something, it's probably not going to get done.
Even if accepted, Google-style plus addressing seems worthless in most situations, as it is trivial to simply remove the plus sign and everything after it to get your native email address.
You can also use my.handle@gmail.com which I use (with a filter to trash immediately) when I need to sign up for something with a high likelihood of spamming me.
the neater thing about the period method is how no one else but you can know which (if any) position(s) of the period are the "good" one(s) and which are the "giving away that it's likely spam" ones.
Readit News
Lol, if an individual does this, you're going to go to jail. A company does this? Tiny fine. What a world we live in.
Prosecutorial discretion is real and dangerous. There are two sets of laws at work in the US, one for us, and a different one for them.
A complete lack of it is also dangerous; that's what gets us zero-tolerance policies of suspending victims of school bullying.
A company itself does nothing. People make decisions and carry them out and should be accountable.
https://www.justice.gov/usao-edny/pr/ticketmaster-pays-10-mi...
People have been prosecuted and convicted under the CFAA for significantly less.
The CFAA is a terribly abused law, but that is a fair use of the word "hacking".
It would take more personal information for me to really care (private messages, emails, social network interactions).
Unless there are lawsuits most people will forget about this breach in a week.
My favorite is when a credit bureau like Experian leaks your info and offers free monitoring as compensation - but you have to give them your info again to get the free monitoring.
They also continuously spam your email, but they’re easy enough to block.
imagine being a young woman with a stalker
> Based on data provided to us by the Threat Group responsible for the compromise, we can assert with a high degree of confidence the data is legitimate. Date ranges in the database appear to go as far back as 2011. However, some dates show information from the mid-2000's.
> NOTE: The data provided to us, even as a 'sample', was absurdly large and made it difficult to review in depth. We are unable to verify the authenticity of financial information. Briefly skimming the PII present in the dump, it appears authentic.
https://x.com/vxunderground/status/1796063116574314642
---
No official confirmation yet.
https://www.sec.gov/news/statement/gerding-cybersecurity-dis...
All my previous comments on this specific story have been that this isn’t verified.
Lots of major news sites pulled the trigger on the headline for nothing more than clicks.
Some journalists say that Australian Home Affairs confirmed the breach… lol! They acknowledged the rumour, but that got spun as “verification”.
Then again, maybe it’s lack of decent cybersecurity writers.
I personally can’t stand this weaksauce writing with no fact checking and the nonchalant way of throwing companies under the bus.
https://stackdiary.com/ticketmaster-confirms-data-breach-wit...
Filing: https://www.sec.gov/Archives/edgar/data/1335258/000133525824...
As long as the investor is hurt, right? The users are just collateral.
I find the "honor amongst thieves" part so interesting in these breach stories
(1) Troy Hunt, via an "X" user has a screenshot to the actual sale -> https://x.com/troyhunt/status/1795551650553491870
Ticketmaster Hacker Demands $500K Ransom (Plus $300K Ransom Processing Fee, $220K Ransom Handling Fee)
https://theshovel.com.au/2024/05/30/ticketmaster-hacker-dema...
Comparing apples and oranges here but I like thinking about the monetary value assigned to a byte.
(posted on HN here: https://news.ycombinator.com/item?id=40534868)
What's the biggest data hack ever?
Ticketmaster surely uses Snowflakes services to store data making it downstream of Ticketmasters own services.
This is a far more scary claim than OP's article, because that means there could be many more compromised customers out there that don't know it yet. It's a bit chilling, knowing some friends might be in deep shit.
Webdevs of HN: how many of you make a point of allowing sub-addressing?
* https://en.wikipedia.org/wiki/Email_address#Sub-addressing
In my experience, most but not all sites will accept "+" email addresses.