Ticket Resale Platform Tickettocash Left 200gb Of User Data Exposed

A misconfigured, non-password-protected database belonging to TicketToCash exposed information from 520,000 customers, including PII and partial financial details.

Cybersecurity interrogator Jeremiah Fowler precocious discovered a 200GB openly accessible misconfigured database containing complete 520,000 records. This exposed database belonged to customers of TicketToCash, a level for reselling arena tickets.

According to Fowler’s report, shared pinch Hackread.com, it isn’t conscionable astir names and email addresses; nan information vulnerability includes partial in installments paper numbers and beingness addresses linked to performance and arena tickets.

Additionally, nan exposed information included copies of tickets and documents containing Personally Identifiable Information (PII) specified arsenic names, email addresses, location addresses, and in installments paper numbers.

The database’s sanction suggested it held customer files successful various integer formats for illustration PDF, JPG, PNG, and JSON. When Fowler looked astatine immoderate of these files, he saw galore tickets for concerts and different unrecorded events, impervious of summons transfers betwixt people, and screenshots of costs receipts that users had submitted. Some of these documents showed partial in installments paper numbers, afloat names, email addresses, and location addresses.

Ticket Details Exposed successful nan leak (Source: vpnMentor)

Internal clues wrong nan files and folders indicated that nan information belonged to TicketToCash, an online level wherever group tin waste their arena tickets for concerts, sports games, and theatre shows. The institution states that it lists tickets crossed a web of much than 1,000 different websites.

TickettoCash Did Not Respond; Database Remained Exposed Until Second Alert

What’s peculiarly troubling is nan evident deficiency of first consequence from TicketToCash aft being notified. According to Fowler’s investigation, “I instantly sent a responsible disclosure announcement to TicketToCash.com, but I received nary reply, and nan database remained open.”

The database remained publically accessible until a 2nd notification was sent aft which nan institution secured it, but nan files remained exposed successful nan 4 days betwixt Fowler’s first and 2nd attempts.

Fowler warns that if this accusation someway sewage into nan incorrect hands, it could beryllium utilized for fraudulent purposes for illustration phishing, personality theft, aliases nan creation and resale of clone tickets. Fowler highlighted that “PII and financial specifications tin beryllium valid for years,” meaning nan consequences of this leak could beryllium long-lasting. That’s besides why nan Ticketmaster information breach received wide media coverage.

He besides referenced a 2023 report indicating that a important percent of group (11%) buying tickets from secondary markets person been scammed, and noted a melodramatic 529%  increase successful summons scams successful nan UK “costing victims an mean of £110 ($145 USD).”

It’s unclear whether TickettoCash straight owned and managed this database aliases if it was handled by a third-party contractor, really agelong it was exposed earlier Fowler recovered it, and if anyone other mightiness person accessed nan accusation during that time.

Nevertheless, Fowler’s findings item a captious work for platforms handling delicate personification data, particularly successful high-value markets for illustration arena tickets. TicketToCash users must stay cautious of phishing attempts, show financial accounts, update passwords and move to multi-factor authentication.