A misconfigured, non-password-protected database belonging to TicketToCash has exposed sensitive information from over 520,000 customers, including personally identifiable information (PII) and partial financial data.
Recently, cybersecurity researcher Jeremiah Fowler discovered a misconfigured database totaling 200GB that was publicly accessible, revealing more than 520,000 records related to TicketToCash, a platform for reselling event tickets.
In his report shared with Hackread.com, Fowler stated that the exposure encompasses not just names and email addresses, but also partial credit card numbers and physical addresses tied to concert and event tickets.
Additionally, the exposed data includes images of tickets and documentation containing PII, such as complete names, email addresses, home addresses, and credit card information. The structure of the database suggests it held customer files in diverse digital formats including PDF, JPG, PNG, and JSON. Upon reviewing some of these files, Fowler identified numerous tickets for concerts and other events, as well as proof of ticket transfers and screenshots of user-submitted payment receipts. Many documents included sensitive information such as partial credit card numbers, full names, and home addresses.
Internal indicators within the files and folders confirmed that the data was indeed associated with TicketToCash, an online platform facilitating the sale of event tickets including concerts, sports events, and theater performances. TicketToCash claims a listing across a network of more than 1,000 websites.
TicketToCash’s Lack of Response Led to Prolonged Exposure
Of particular concern is the apparent inaction from TicketToCash following the initial notification of the breach. According to Fowler’s investigation, he initially sent a responsible disclosure notice to TicketToCash, but did not receive a response, and the database remained unprotected. It was only after a second notification that the company secured the database, leaving the data vulnerable for four days in between these two communications.
Fowler cautioned that if the compromised information were to be misused, it could lead to various fraudulent activities, including phishing and identity theft. He emphasized the longevity of PII and financial details, stating that they can remain valid for years, indicating that the ramifications of this leak could be severe. The media attention surrounding similar breaches, such as the Ticketmaster data breach, underscores the gravity of such exposures.
Moreover, Fowler referenced a 2023 report indicating that approximately 11% of individuals purchasing tickets from secondary markets have fallen victim to scams. He noted an alarming 529% increase in ticket-related scams in the UK, with victims losing an average of £110 ($145 USD).
It remains uncertain whether TicketToCash directly owned and managed the exposed database or if it was maintained by a third-party vendor. Critical questions persist regarding the duration of the exposure and whether other parties accessed the compromised information during that timeframe.
This incident serves as a reminder of the crucial responsibilities that platforms handling sensitive user data bear, especially in high-stakes sectors like event ticketing. Users of TicketToCash should exercise increased vigilance against phishing attempts, closely monitor their financial accounts, regularly update passwords, and adopt multi-factor authentication strategies.
