Threat actors briefly relisted stolen Ticketmaster data from the 2024 Snowflake attack, creating confusion over whether a new breach had occurred.
Previously Stolen Ticketmaster Data Resurfaces in Arkana Security Post
Over the weekend, an extortion group named Arkana Security briefly listed what appeared to be newly compromised Ticketmaster data for sale. The post advertised 569 GB of data and was accompanied by screenshots showing ticketing and customer records, sparking fears of a fresh security breach.
However, analysis by BleepingComputer confirmed the data was not new, but rather the same dataset stolen during the 2024 Snowflake attack campaign. The files and structure matched previously leaked samples tied to the original incident.
“RapeFlake” Reference Links Post to Earlier Snowflake Recon Tool
One of the images posted by Arkana carried the caption:
“rapeflaked copy 4 quick sale 1 buyer.”
This line directly references RapeFlake, a custom-built tool previously linked to attackers who targeted Snowflake-hosted databases. The tool was designed for data reconnaissance and exfiltration during the earlier campaigns that hit several Snowflake customers.
Listing of Ticketmaster data being sold by Arkana
Source: BleepingComputer
Background: Snowflake Credential Theft Campaign Affected Multiple Organizations
The original Snowflake attacks were part of a broad data extortion campaign. Threat actors, including the group ShinyHunters, accessed data from Snowflake environments using credentials harvested by infostealer malware. The compromised credentials allowed attackers to pull sensitive customer and operational data from various companies.
Organizations impacted in the 2024 campaign included:
- Ticketmaster
- Santander
- AT&T
- Advance Auto Parts
- Neiman Marcus
- Los Angeles Unified
- Pure Storage
- Cylance
Ticketmaster was one of the most publicized victims, with attackers leaking ticketing records, personal data, and allegedly Taylor Swift ticket PDFs. The company confirmed the breach at the end of May and began notifying affected users.
Arkana’s Motive Unclear, Data Listing Later Removed
Arkana Security did not explicitly state the origin of the data, but the file naming patterns, use of the term “RapeFlake,” and exact matches to previously leaked files indicate the group was attempting to resell old data.
It remains unclear:
- Whether Arkana acquired the data from another group
- Whether Arkana is connected to ShinyHunters
- Or whether this was a repackaging of existing leaks to confuse law enforcement or attract buyers
The Ticketmaster listing was removed from the Arkana leak site as of June 9.
ShinyHunters Still Active Despite Arrests
ShinyHunters, the group behind the Snowflake attack, has been tied to numerous breaches over the past few years. One of their most notable campaigns was the PowerSchool breach, where they accessed data belonging to 62.4 million students and 9.5 million educators across more than 6,000 school districts.
More recently, the group has been linked to Salesforce-related intrusions, targeting business accounts to steal customer data and extort payments.
Despite several arrests of individuals associated with ShinyHunters in recent years, it’s still unclear if the group is operating in its original form or if new threat actors are using the name to avoid detection.
