Ticketmaster claims that tickets stolen in its data breach are useless, while scalpers have proven the rolling barcode method is not 100% effective.

While cybercriminals are offering free tickets to Taylor Swift Eras Tour and other events, Ticketmaster is telling would-be purchasers that these tickets will prove to be worthless.

Those who have claimed responsibility for the Ticketmaster data breach say they’ve stolen 440,000 tickets for Taylor Swift’s Eras Tour, and as proof have leaked 170k ticket barcodes. However, those barcodes are long gone, as a Ticketmaster spokesperson said:

> “Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied.”

The rotating barcodes that change every few seconds is a core feature that protects against “scalpers” who buy tickets from licensed sellers and then resell them at—often—huge profits. You could compare this to the “rolling code” method that most car manufacturers use to prevent car thieves from using a Flipper-Zero to steal your car. You can record and retransmit the code sent by a key fob but that exact same code will no longer work.

From past experience we can say that scalpers are usually one step ahead of the ticket platforms.

Only yesterday, the tech journalists at 404 Media reported about a lawsuit filed in California by concert giant AXS which gives readers some insight into an ongoing legal and technological battle between ticket scalpers and platforms like Ticketmaster and AXS.

404 explains that by reverse engineering the process that ticket platforms use, scalpers can generate valid tickets which they can then sell through their own platforms.

In the lawsuit, AXS says that scalpers are selling counterfeit tickets to unsuspecting customers. However, from the buyer’s standpoint—exaggerated price aside—if you paid for them and they get you in the venue, what’s the difference?

But the point is, the struggle between ticket platforms and scalpers is an arms race in which each side keeps coming up with new methods, and there is now way for the average customer to tell who is currently ahead. So buying these tickets poses a risk of losing your money.

The Ticketmaster spokesperson said:

> “This is just one of many fraud protections we implement to keep tickets safe and secure.”

Unfortunately, the customer and card details of one million Ticketmaster users were not that safe and secure: The cybercriminals released that data when Ticketmaster refused to pay the ransom for the allegedly 560 million Live Nation/Ticketmaster users they managed to steal.

Either way. Be careful when buying tickets and when receiving emails about free concert tickets. They could turn out to be costly.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Ticketmaster says stolen Taylor Swift Eras Tour tickets are useless 

Shopify has denied it has suffered a breach, saying the stolen data comes from a third-party provider that will notify affected customers.

Shopify has denied a breach of its systems after a cybercriminal posted alleged Shopify customer details online.

Shopify told BleepingComputer and other publications that the incident happened at a third party:

> “Shopify systems have not experienced a security incident. The data loss reported was caused by a third-party app. The app developer intends to notify affected customers.”

The cybercriminal posting under the handle “888” claims the breach took place in 2024 and contains 179,873 rows of users’ information.

Post by 888 offering Shopify data for sale

The data offered for sale includes:

*   Shopify ID
*   First name
*   Last name
*   Email address
*   Mobile phone number

It also includes some Shopify specific data like number of orders, total spent, email subscription status, email subscription date, SMS subscription status, and SMS subscription date.

Where the data comes from is a good question.

In March, Cybernews reported about a publicly accessible MongoDB database that belonged to a US-based company, Saara, who develop Shopify plugins. The leaked database stored 25GB of data which stemmed from plugins covering over 1,800 Shopify stores.

In June, we reported about a breach affecting Evolve Bank & Trust that also affected several of its partners. Shopify is a partner of Evolve.

No doubt this isn’t the end of the story. We will keep you updated.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Shopify says stolen customer data was taken in third-party breach 

A list, known as RockYou2024, of almost 10 billion passwords has been released on a hacking forum. What are the dangers?

On a popular hacking form, a user has leaked a file that contains 9,948,575,739 unique plaintext passwords. The list appears to be a compilation of passwords that were obtained during several old and more recent data breaches.

The list is referred to as RockYou2024 because of its filename, rockyou.txt.

To cybercriminals the list has some value because it contains real-world passwords. This means if an attacker tried this list of passwords to try to break into an account (known as a brute force attack) they’s be more likely to get in than just trying a list of any old letters and words. However, it’s highly unlikely that there are any services or websites that would allow anyone to try such an enormous number of passwords, so it’s really only useful to attackers who have stolen a password database and are trying to crack its passwords offline, on their own computer.

Another possible use for cybercriminals is to combine the list with data from other breaches, such as combinations of usernames and passwords, which could get results if the password has been reused. If the cybercriminals also have a list that contains hashed passwords, they could even try to match the hash values of the passwords.

Having the actual password makes an attack a lot easier than when you’re trying a pass-the-hash attack, where an attacker tries to authenticate to a remote server or service by using the hash of a user’s password. However, this only works on services that are vulnerable to pass-the-hash attacks, instead of requiring the associated plaintext password as is normally the case.

To cut a long story short, if you don’t reuse passwords and never use “simple” passwords, like single words, then this release should not concern you. If you use multi-factor authentication (MFA), and you should everywhere you can, there’s also no reason to worry about this.

Malwarebytes has a free tool for you to find out how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 &#8216;RockYou2024&#8217;: Nearly 10 billion passwords leaked online 

A list of topics we covered in the week of July 1 to July 7 of 2024

July 5, 2024 - The cybercriminals behind the Ticketmaster data breach are giving away free Taylor Swift concert tickets.

July 4, 2024 - Authy users have been warned that their phone numbers have been obtained by cybercriminals that abused an unsecured API endpoint.

July 3, 2024 - Buy now and pay later provider Affirm has notified the SEC that customer data of its card users was compromised in the Evolve data breach.

July 2, 2024 - It turns out that a breach at the Prudential impacted a lot more people than was initially thought. The company is now offering identity monitoring to affected customers.

July 1, 2024 - An Australian man was arrested for alleged evil twin attacks. What are they and what can you do about them?

 A week in security (July 1 &#8211; July 7) 

The cybercriminals behind the Ticketmaster data breach are giving away free Taylor Swift concert tickets.

The cybercriminals who claimed responsibility for the Ticketmaster data breach say they’ve stolen 440,000 tickets for Taylor Swift’s Eras Tour.

As proof, an entity using the handle Sp1d3rHunters, a merger of Sp1d3r and ShinyHunters who are both aliases associated with the breach, leaked 170k barcodes for free for Taylor Swift’s ERAS Tour.

In a post on the infamous stolen data site BreachForums, Sp1d3rHunters is offering many thousands of tickets for upcoming Taylor Swift concerts in three cities in the US: Miami, New Orleans, and Indianapolis.

Post by Sp1d3rHunters

The post includes a link to a free tutorial on how to make your own printable barcode tickets.

It also includes a threat to Ticketmaster:

> “Pay us $2million USD or we leak all 680M of your users information and 30million more event barcodes including:
> 
> more Taylor Swift events, P!nk, Sting, Sporting events F1 Formula Racing, MLB, NFL and thousands more events.”

This is the second release of data from the breach, after the cybercriminals–then posting under the name Sp1d3r–gave away one million records including full details (name, address, email, and phone) of Ticketmaster customers.

For Ticketmaster, the release of free Taylor Swift tickets could turn out to be a costly affair. It’s not just the value of the tickets that’s at stake. The company will also need to reissue the tickets to their rightful owners, as well as no doubt deal with more than the expected number of visitors to those concerts, leading to the need to employ extra security staff. All that and we’ve not yet touched on the reputational damage, which already is substantial but is likely to grow even more.

Even though it may be tempting, we would advise against trying to use these “free tickets.” Given the timeframe until the events, Ticketmaster should have enough time and opportunity to invalidate the stolen tickets, and you are likely to receive exactly what you paid for: nothing.

Swifties should also be wary of phishing attempts that will undoubtedly try to capitalize on the news that “free tickets” are available.

****Check your exposure****

While matters are still unclear how much information was involved, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Ticketmaster hackers release stolen ticket barcodes for Taylor Swift Eras Tour 

Authy users have been warned that their phone numbers have been obtained by cybercriminals that abused an unsecured API endpoint.

Twilio has warned users of the Authy multi-factor authentication (MFA) app about an incident in which cybercriminals may have obtained their phone numbers.

Twilio said the cybercriminals abused an unsecured Application Programming Interface (API) endpoint to verify the phone numbers of millions of Authy multi-factor authentication users.

Authy is an app that you install on your device which then produces a MFA code for you when logging into services.

The cybercriminals were able test the validity of an enormous list of phone numbers against the unsecured API endpoint. If the number was valid, the endpoint would return information about the associated accounts registered with Authy.

Twilio says it has seen no evidence of the attackers gaining access to Twilio’s systems or other sensitive data, but as a precaution it is asking all Authy users to update to the latest Android and iOS apps.

BleepingComputer notes that a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service.

> “In late June, a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service.”

In that post, ShinyHunters suggests that buyers combine the data set with those leaked in the Gemini or Nexo data breaches. Nexo is a crypto platform where users can buy, exchange, and store Bitcoin and other cryptocurrencies. Gemini is another cryptocurrency exchange which has suffered several breaches in the past years.

With matches between the data sets, a cybercriminal could engage in SIM-swapping or phishing attacks to steal the target’s cryptocurrencies.

If you are an Authy user we advise you to update at your earliest convenience and keep an eye out for any potential phishing messages.

**How to avoid being phished**

Remember that phishing messages will try to rush you into making a decision by setting an ultimatum or otherwise imposing a sense of urgency. Don’t let them rush you into an expensive mistake.

There are a few tell-tale signs for phishing mails:

1.  It asks you to update/fill in personal information.
2.  The URL on the email and the URL that displays when you hover over the link are different from one another.
3.  The “From” address is not the legitimate address, although it may be a close imitation.
4.  The formatting and design are different from what you usually receive from the impersonated brand.
5.  The email contains an attachment you weren’t expecting.

However, with the advancement of AI, phishing emails are getting more sophisticated. So if you have even a tiny amount of suspicion that something is phishy, don’t hesitate to confirm the source of the email through another method. The chances of losing your money are much smaller after a quick call asking “Did you send this?”

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Authy phone numbers accessed by cybercriminals, warns Twilio 

Buy now and pay later provider Affirm has notified the SEC that customer data of its card users was compromised in the Evolve data breach.

‘Buy now, pay later’ payment specialist Affirm has warned that holders of its payment cards had their personal information exposed after a ransomware attack and data breach at Evolve Bank & Trust.

In a form 8-K, submitted to the Securities and Exchange Commission (SEC), Affirm states:

> “Because the Company \[Affirm Holdings, Inc\] shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident.”

According to Evolve, the attack started after “an employee inadvertently clicked on a malicious internet link.” Evolve refused to pay the ransom, and so the attackers leaked the data they downloaded.

Affirm isn’t the only fintech company affected by the Evolve breach. Business bank Mercury also notified customers that the data stolen from Evolve Bank & Trust included some account numbers, deposit balances, business owner names, and emails associated with Mercury and other fintech accounts.

> “Affected Mercury customers have been notified of the breach and the preventative steps we are taking to keep customer funds secure.”

Money transfer service and payment platform builder Wise also published a statement on its website, informing customers it had shared full names, addresses, contact details, Social Security numbers, and other sensitive information with Evolve as part of a partnership between 2020 and 2023.

So, it’s entirely possible that other financials may come forward with similar notifications. Reportedly, Evolve has active partnerships with multiple fintech companies, including Shopify, Bilt, Plaid, and Stripe.

Keep your eyes and ears open and be wary of phishing attempts related to these breaches.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your digital footprint**

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Affirm says Evolve Bank data breach also compromised some of its customers 

It turns out that a breach at the Prudential impacted a lot more people than was initially thought. The company is now offering identity monitoring to affected customers.

In February 2024, Prudential Financial reported it had fallen victim to a ransomware attack. The attack was discovered one day after it started, but not before some 2.5 million people had been impacted by the resulting data breach.

As one of the largest insurance companies in the US, Prudential employs 40,000 people worldwide and reported revenues of over $50 billion in 2023.

At first, Prudential said it believed only 36,000 people had had their data stolen, but that number has now been revised to 2.5 million in a new breach notification. The company has also adjusted what information has stolen. In the original notification the company stated:

> “On the basis of the investigation to date, we do not have any evidence that the threat actor has taken customer or client data.”

However, Prudential is now saying the stolen data also impacted many customers and included:

*   Full names
*   Driving license numbers
*   Non-driving license identification cards

The data breach notification states that the company will be giving affected customers 24 months of identity theft and credit monitoring services through Kroll.

Below are some general tips on what to do after you’ve fallen victim to a data breach.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Prudential Financial data breach impacts 2.5 million people, not 36,000 as first thought 

An Australian man was arrested for alleged evil twin attacks. What are they and what can you do about them?

The Australian Federal Police (AFP) have charged a man for setting up fake free WiFi access points in order to steal personal data from people.

The crime was discovered when an airline reported a suspicious WiFi network identified by its employees during a domestic flight. When the alleged perpetrator landed at Perth airport, his bags were searched and authorities found a portable wireless access device, a laptop, and a mobile phone in his hand luggage.

The police say that the man, 42, used a portable wireless access device to create ‘evil twin’ free WiFi networks; so called because criminals set up free WiFi access points that mimic the name of legitimate public WiFi networks.

When people tried to connect their devices to the free WiFi networks, they were taken to a fake webpage requiring them to sign in using their email or social media logins. Those details were then allegedly saved to the man’s devices.

The email and password details harvested could then be used to access more personal information, including bank accounts, emails and messages, photos and videos, and more. 

AFP cybercrime investigators have identified data relating to the use of the alleged fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, on domestic flights, and at locations linked to the man’s previous employment.

The investigation is ongoing but the man can expect to face nine charges for the alleged cybercrime offences.

‘Evil twin’ attacks are a type of “machine-in-the-middle” attack, where all traffic is routed through a server under the attacker’s control, giving them access to all of the submitted information.

Cybercriminals favour places where people expect to have free WiFi, such as airports, planes, coffee, shops, and libraries. The attacker finds the legitimate network name—known as the SSID (service set identifier)—and creates an access point with the same name.

Access points and wireless router networks broadcast their SSIDs to identify themselves, but the identifiers are not unique. Your device can connect to any SSID if the network has no security options enabled, and it will not be able to differentiate between the legitimate and the fake one.

Evil twin attacks are based on the fact that when two networks have the same SSID and security settings, your device will either connect to the one with the strongest signal or the one it sees first.

**How to stay safe from evil twin attacks**

There are a few things you can do to protect yourself against this kind of attack.

*   Firstly, do not allow your device to auto-connect to public or unsecure networks. See below on how to turn this off.
*   Look out for unexpected behavior. To connect to a free WiFi network, you shouldn’t have to enter any personal details—such as logging in through an email or social media account.
*   Install a trusted VPN to encrypt the traffic regardless of the network you are using, and even when you’re not visiting websites that HTTPS (Hypertext transfer protocol secure) which encrypts the traffic between a browser and the website.
*   And my personal favorite: Use your own personal hotspot. I use a portable 5G Mifi router, which provides me with reliable high-speed WiFi throughout my domestic journeys.

**How to disable auto-connect**

When you’re travelling it may be safer to disable auto-connect on Wi-Fi altogether.

On Android it works roughly like this (steps may be slightly different depending on your Android version, device type, and vendor):

**Settings** > **Network & Internet** (or **Connections**) > **Wi-Fi** > **Wi-Fi preferences** (or **Advanced**). Toggle off **Connect to public networks**.

On iOS you can disable auto-connect by doing this:

**Settings** > **Wi-Fi**. Tap the **(i)** next to the network name and then toggle off **Auto-Join**.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Personal data stolen from unsuspecting airport visitors and plane passengers in “evil twin” attacks, man charged 

This week on the Lock and Code podcast, we speak with Sarah Lamdan about library privacy and the fight to stop big data surveillance.

_This week on the Lock and Code podcast_…

More than 20 years ago, a law that the United States would eventually use to justify the warrantless collection of Americans’ phone call records actually started out as a warning sign against an entirely different target: Libraries.

Not two months after terrorists attacked the United States on September 11, 2001, Congress responded with the passage of The USA Patriot Act. Originally championed as a tool to fight terrorism, The Patriot Act, as introduced, allowed the FBI to request “any tangible things” from businesses, organizations, and people during investigations into alleged terrorist activity. Those “tangible things,” the law said, included “books, records, papers, documents, and other items.”

Or, to put it a different way: things you’d find in a library and records of the things you’d check out from a library. The concern around this language was so strong that this section of the USA Patriot Act got a new moniker amongst the public: “The library provision.”

The Patriot Act passed, and years later, the public was told that, all along, the US government wasn’t interested in library records.

But those government assurances are old.

What remains true is that libraries and librarians want to maintain the privacy of your records. And what also remains true is that the government looks anywhere it can for information to aid investigations into national security, terrorism, human trafficking, illegal immigration, and more.

What’s changed, however, is that companies that libraries have relied on for published materials and collections—Thomson Reuters, Reed Elsevier, Lexis Nexis—have reimagined themselves as big data companies. And they’ve lined up to provide newly collected data to the government, particularly to agencies like Immigrations and Customers Enforcement, or ICE.

There are many layers to this data web, and libraries are seemingly stuck in the middle.

Today, on the Lock and Code podcast with host Davd Ruiz, we speak with Sarah Lamdan, deputy director Office of Intellectual Freedom at the American Library Association, about library privacy in the digital age, whether police are legitimately interested in what the public is reading, and how a small number of major publishing companies suddenly started aiding the work of government surveillance:

> “Because to me, these companies were information providers. These companies were library vendors. They’re companies that we work with because they published science journals and they published court reporters. I did not know them as surveillance companies.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Source

Malwarebytes