Cybersecurity expert discovered and reported an unsecured, publicly accessible database linked to an event ticket resale platform. The service involved is Ticket to Cash, a website that enables users to list and sell tickets for concerts, sports events, and other live shows.
A total of 520,054 records were found exposed online. The researcher sent a notification to alert the company, but received no reply. The database stayed open for an additional four days. Only after this follow-up was the database finally locked down. During the time it remained exposed, more than 2,000 new files had been added to the database before it was secured.
At present, it’s unclear whether Ticket to Cash directly owns and operates the compromised database or if it was handled by an outside service provider. There is also no confirmed timeline for how long the database was vulnerable, nor is it known if any unauthorized parties accessed the information before the intervention.
The leaked files included, among other things:
- Tickets for live events
- Screenshots of purchase receipts
- Documentation of ticket transfers
Within these files, personally identifiable information (PII) was visible, such as full names, email addresses, physical addresses, and fragments of credit card numbers. If misused, this sensitive data could expose affected individuals to risks like phishing scams, identity theft, or financial fraud. In addition, the leaked tickets could be resold fraudulently, stolen, or replicated for counterfeit purposes.