Cybersecurity researcher Jeremiah Fowler has uncovered a publicly accessible database containing over half a million records linked to an online ticket resale service. He reported the discovery to vpnMentor.
The database was neither password-protected nor encrypted and contained 520,054 records totalling approximately 200 GB. Based on file and folder names, the data appeared to belong to “Ticket to Cash,” a resale platform for event tickets.
Fowler reviewed a small sample of the documents, which included concert and event tickets, ticket transfers, receipts, and user-uploaded screenshots. Some files contained personally identifiable information (PII), such as partial credit card numbers, full names, email addresses, and home addresses.
He attempted to alert the company through a responsible disclosure notice but received no response, and the database remained exposed for several more days, during which time, the number of records grew by more than 2,000 files. It was only secured after a second notice.
It remains unclear whether the database was directly managed by Ticket to Cash or by a third-party contractor.
Ticket to Cash operates as a resale marketplace where users can list tickets for concerts, sports events, and theater performances. It claims to distribute tickets through a network of more than 1,000 websites, and according to its business model, sellers can list tickets for free but lose the full value if the tickets are not sold. Payments are processed through PayPal, often after the event takes place.
Fowler said he had difficulty contacting the company. He received no response to his disclosure notice and was unable to reach anyone by phone.
Data exposure comes with long-term risks. Even limited information such as names, email addresses, and partial financial data can be valuable to malefactors, and could be used in phishing attacks or social engineering schemes aimed at taking over user accounts.
For instance, bad actors could craft convincing phishing emails using exposed email addresses and proof-of-purchase documents. If successful, they might gain access to a user’s email account, reset passwords, and take control of accounts on ticketing platforms. In some cases, they could download or transfer digital tickets, locking out the original buyer.
Fowler stressed that he didn’t download or misuse the exposed data, nor is he suggesting that Ticket to Cash or its affiliates were engaged in fraud. He said there is no confirmed evidence of unauthorized access by other parties, and that his goal is to raise awareness about the dangers of unprotected databases.
In 2023, LendingTree reported that 11% of buyers using secondary markets were scammed, he said. In the UK, The Guardian reported a 529% increase in ticket scams over the previous year, with an average loss of £110 (about $145 USD).
Fowler recommends that individuals who believe they may have been affected should:
- Monitor financial accounts for unusual activity
- Update passwords and enable multi-factor authentication
- Be cautious of emails or messages referencing ticket purchases or payments
He also advised consumers to be wary of anonymous or unresponsive platforms, particularly ones that collect personal and payment information.
The ownership of Ticket to Cash is unclear. Public information about the company’s leadership, location, or legal registration was not available at the time of this report.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.