My guess is that it went down like this.
Ticketmaster gave access to their production tenant to sales engineer that was probably attached to their account rep. He got an account with a set password, was not onboarded into their Okta/Azure AD/etc and didn't have MFA enabled for his account or was restricted to a range of IPs for access.He got p0wned and the hackers got in using his creds. Of course he likely had accountadmin or something highly privileged since he was likely routinely asked to look at random things at Ticketmaster... that too didn't help.
No comments yet.