The online criminal bazaar BreachForums has been rebuilt barely two weeks after a U.S.-led concerted law enforcement campaign demolished and took control of its infrastructure.
Cybersecurity researchers and dark web trackers Brett Callow, Dark Web Informer, and FalconFeeds revealed the site's online return at breachforums[.]st – one of the dismantled sites – by a user named ShinyHunters, who has since offered for sale a 1.3 TB database containing details of allegedly 560 million Ticketmaster customers for $500,000.
This includes full names, addresses, email addresses, phone numbers, ticket sales and event information, and the last four digits of credit cards and their related expiration dates.
However, in an odd twist, visitors of the site are now being requested to sign up for an account in order to read the information.
The development follows a joint law enforcement activity that seized all the new domains belonging to BreachForums (breachforums[.]st/.cx/.is/.vc), while also implying that the site administrators Baphomet and ShinyHunters may have been detained.
The operation also resulted in the seizure of the Telegram channel owned by Baphomet, with the U.S. Federal Bureau of Investigation (FBI) indicating that it's investigating the site's backend data.
It's not currently apparent if the individual(s) employing the ShinyHunters alias on BreachForums is the original ShinyHunters hacker. Also unknown is the manner how they got to be in control of one of the clearnet sites confiscated by the FBI, while Hackread.com reported that they retrieved the domain from domain registrar NiceNIC.
However, the idea that it may be a honeypot has not been missed among members of the cybersecurity community.
BreachForums emerged in March 2022 in the aftermath of the shutdown of RaidForums and the arrest of its owner "Omnipotent." It was disassembled in mid-June 2023, following which it was restored by Baphomet and ShinyHunters to create a new site with the same name.
Both the U.S. Department of Justice (DoJ) and the FBI have yet to comment on the removal, or the re-emergence of the forum for that matter.
Ticketmaster Confirms Breach#
Ticketmaster's company Live Nation stated on May 31, 2024, that it suffered a breach after its data was stolen from a third-party cloud database environment. Although the name of the supplier was not divulged, it's thought to be Snowflake, based on a report published by Hudson Rock.
The Israeli cybersecurity firm reported that a Snowflake employee's ServiceNow credentials were taken using a Lumma Stealer campaign on October 5, 2023, allowing the threat actors to get access to the employee's ServiceNow account in a manner that evaded two-factor authentication (2FA) restrictions.
"Info-stealer infections as a cybercrime trend surged by an incredible 6,000% since 2018, positioning them as the primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage," Hudson Rock said.
It further added that the credentials were utilized by the threat actors behind the hack to break into other firms, including Santander. Earlier this month, the bank revealed it had been compromised, and said it affected customers of Santander Chile, Spain, and Uruguay.
Snowflake has subsequently stated that it's "investigating an increase in cyber threat activity targeting some of our customers' accounts" and that it aware of unauthorized access on May 23, 2024. The harmful behavior is thought to have began about mid-April 2024.
The business said it has also alerted all customers, advising them to verify their account settings and use 2FA to secure their data. It, however, rejected accusations that the activity was triggered by any vulnerability, misconfiguration, or breach of the product.
That said, Snowflake stated that a former employee's demo account was accessed with stolen credentials, but maintained it did not contain important data. Nor is it tied to any manufacturing or organizational systems, it added.
(The story was modified after publication to incorporate details regarding the Ticketmaster compromise.)