A known extortion group briefly relisted old Ticketmaster data over the weekend, falsely suggesting a new breach.
What happened
Over the weekend, the Arkana Security extortion gang advertised over 569 GB of allegedly stolen Ticketmaster data for sale, sparking concern of a fresh security incident. However, analysis by BleepingComputer confirmed the data matches samples previously leaked during the 2024 Snowflake data theft attacks.
The post, which has since been taken down, included screenshots and file names that align with earlier breaches. One image captioned “rapeflaked copy 4 quick sale 1 buyer” referenced “RapeFlake,” a custom tool used by the original attackers to extract data from Snowflake-hosted databases.
Going deeper
The 2024 Snowflake attacks, attributed to the ShinyHunters group, targeted numerous high-profile companies, including Santander, Ticketmaster, AT&T, Neiman Marcus, and Advance Auto Parts. Attackers used credentials stolen by infostealer malware to gain access to Snowflake accounts and exfiltrate large volumes of sensitive customer data.
Ticketmaster confirmed its involvement in the breach in May 2025 and began notifying customers affected by the incident. Following the original leak, hackers released what they claimed were printable event tickets, including alleged Taylor Swift tickets, as part of a broader extortion campaign.
Arkana’s recent post did not specify whether the group was reselling previously obtained data, had acquired it from another source, or was collaborating with ShinyHunters. The listing was removed by June 9, and Arkana has not commented further.
What was said
While Arkana has remained silent on the data’s origin, indicators such as filenames and tool references strongly suggest that the group was attempting to monetize older breach data rather than promoting newly acquired information.
Mandiant and other cybersecurity firms continue to track ShinyHunters and related actors, noting their involvement in a wide range of attacks, including a recent campaign targeting Salesforce accounts.
FAQs
What is “RapeFlake” and why is it significant?
RapeFlake is a custom tool developed by hackers to identify and extract data from Snowflake databases. Its mention in Arkana's listing helps link the data to the original Snowflake breach.
How can companies verify if new threats are recycled data?
Digital forensics teams compare metadata, file structures, and content samples against previously leaked datasets to determine if “new” breaches are actually old data being repackaged.
What’s the risk of old data being resold?
Even if the breach isn’t new, reselling old data can reignite extortion threats, erode customer trust, and potentially lead to further misuse of the information.
Who are ShinyHunters, and how active are they today?
ShinyHunters is a well-known cybercriminal group linked to multiple major breaches over the past few years. Although several members have been arrested, it's unclear if recent activity is from the original group or new actors using the name.
What steps should affected customers take?
Customers should monitor their accounts for suspicious activity, enable two-factor authentication, and consider credit monitoring services if their personal data was compromised in earlier breaches.
Farah Amod
