A misconfigured, non-password-protected database belonging to TicketToCash uncovered information from 520,000 clients, together with PII and partial monetary particulars.
Cybersecurity researcher Jeremiah Fowler just lately found a 200GB overtly accessible misconfigured database containing over 520,000 data. This uncovered database belonged to clients of TicketToCash, a platform for reselling occasion tickets.
Based on Fowler’s report, shared with Hackread.com, it isn’t nearly names and e-mail addresses; the information publicity consists of partial bank card numbers and bodily addresses linked to live performance and occasion tickets.
Moreover, the uncovered information included copies of tickets and paperwork containing Personally Identifiable Data (PII) similar to names, e-mail addresses, dwelling addresses, and bank card numbers.
The database’s identify recommended it held buyer information in numerous digital codecs like PDF, JPG, PNG,
and JSON
. When Fowler checked out a few of these information, he noticed many tickets for live shows and different dwell occasions, proof of ticket transfers between individuals, and screenshots of fee receipts that customers had submitted. A few of these paperwork confirmed partial bank card numbers, full names, e-mail addresses, and residential addresses.
Inner clues throughout the information and folders indicated that the information belonged to TicketToCash, an internet platform the place individuals can promote their occasion tickets for live shows, sports activities video games, and theatre reveals. The corporate states that it lists tickets throughout a community of greater than 1,000 different web sites.
TickettoCash Did Not Reply; Database Remained Uncovered Till Second Alert
What’s notably troubling is the obvious lack of preliminary response from TicketToCash after being notified. Based on Fowler’s investigation, “I instantly despatched a accountable disclosure discover to TicketToCash.com
, however I obtained no reply, and the database remained open.”
The database remained publicly accessible till a second notification was despatched after which the corporate secured it, however the information remained uncovered within the 4 days between Fowler’s first and second makes an attempt.
Fowler warns that if this info in some way bought into the fallacious arms, it might be used for fraudulent functions like phishing, id theft, or the creation and resale of faux tickets. Fowler highlighted that “PII and monetary particulars may be legitimate for years,” that means the implications of this leak might be long-lasting. That’s additionally why the Ticketmaster information breach obtained widespread media protection.
He additionally referenced a 2023 report indicating {that a} vital share of individuals (11%) shopping for tickets from secondary markets have been scammed, and famous a dramatic 529% improve in ticket scams within the UK “costing victims a mean of £110 ($145 USD).”
It’s unclear whether or not TickettoCash instantly owned and managed this database or if it was dealt with by a third-party contractor, how lengthy it was uncovered earlier than Fowler discovered it, and if anybody else might need accessed the knowledge throughout that point.
Nonetheless, Fowler’s findings spotlight a vital accountability for platforms dealing with delicate person information, particularly in high-value markets like occasion tickets. TicketToCash customers should stay cautious of phishing makes an attempt, monitor monetary accounts, replace passwords and swap to multi-factor authentication.