InfoSecBulletin Cybersecurity for mankind
Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database with 520,054 records from an event ticket resale platform and reported it to vpnMentor.
The unprotected public database had 520,054 records totaling 200 GB. It was labeled as containing customer inventory files in PDF, JPG, PNG, and JSON formats. A review of the files revealed many concert and event tickets, ticket transfer proofs, and user-submitted receipts. Some documents included partial credit card numbers, full names, email addresses, and home addresses.
Ticket resaler exposed 520,054 records size of 200 GB
“bCloud” Starts Journey in Bangladesh Targeting Cloud Solutions
Researcher Found Multiple Vulnerabilities In Apple’s AirPlay Protocol
Massive Attack: Hacker Actively Use 4800+ IPs To Attack Git Configuration Files
CISA Adds Actively Exploited Broadcom Flaws to KEV Database
Google reports 97 zero-days exploited in 2024, 50% in spyware attacks
Palo Alto Networks to Acquire AI Security Firm “Protect AI”
CISA Releases Seven ICS Advisories
India Launches First Quantum Computing Village in Amaravati
400+ SAP NetWeaver Devices Vulnerable to 0-Day Attacks
Jeremiah Fowler reported that internal files showed the records belonged to Ticket to Cash, an online ticket resale platform. It took several days and a follow-up notice before the database was restricted from public access. During the four days between the initial and second disclosure, over two thousand more records were exposed.
Data exposure involving Personally Identifiable Information (PII) can lead to various malicious activities, with identity theft being the primary concern when sensitive data like SSNs or dates of birth are leaked. Even with just names, email addresses, physical addresses, and partial financial data, scammers can build a fuller profile of victims for ongoing exploitation.
Jeremiah Fowler said tickets for several thousand dollars that were valid for up to 6-7 months in the future. This could hypothetically provide the financial incentive and enough time for a sophisticated attack on the account, counterfeiting, or other fraudulent activity.
A 2023 LendingTree report revealed that 11% of ticket buyers on secondary markets or unreliable sites were scammed. The Guardian reported a 529% increase in ticket scams in the UK last year, with victims averaging a loss of £110 ($145).
Jeremiah Fowler recommend that individuals who believe they may have been affected by a data breach be vigilant:
Monitor your financial accounts for unusual activity and periodically check your credit reports for any new accounts in your name.
Update passwords for any potentially compromised online accounts, and enable multi-factor authentication (MFA) whenever possible for extra security.
Stay alert for phishing attempts, especially emails about ticket purchases or payment issues. Always verify such messages through official channels, and report any suspicious activity to your bank, credit card provider, or relevant service provider.
TicketToCash.com is an online platform where people can sell tickets for concerts, sports, and theater events. It connects users to over 1,000 resale websites. Sellers can list their tickets for free, but Ticket to Cash takes a commission once a sale is made. If tickets don’t sell, the seller loses the full ticket value.
