Ticket to Cash Data Breach

A cybersecurity researcher uncovered and disclosed a publicly exposed database tied to an event ticket resale site. The platform in question, Ticket to Cash, allows people to post and sell tickets for concerts, sporting events, and other live entertainment.

In total, 520,054 records were left unprotected online. The researcher alerted the company but received no response. The database remained accessible for another four days, during which time over 2,000 additional files were added. It wasn’t until after a second notification that the database was finally taken offline and secured.

It is still uncertain whether Ticket to Cash directly controlled the database or if it was managed by a third-party vendor. The length of time the data remained exposed is also unknown, as is whether any malicious actors accessed the information before it was discovered and reported.

Among the exposed records were:

Digital tickets for live shows
Images of purchase receipts
Files confirming ticket transfers

These documents contained personally identifiable information (PII) such as full names, email addresses, mailing addresses, and parts of credit card numbers. If exploited, this information could put individuals at risk for phishing attempts, identity theft, and financial crimes. Additionally, the leaked tickets could potentially be resold illegally, stolen, or used as templates for creating counterfeit copies.