A massive data breach has exposed over 520,000 records belonging to users of TicketToCash.com, an online ticket resale platform.
The unprotected database, which was neither password-protected nor encrypted, was discovered by a security researcher and contained roughly 200 GB of files, including ticket purchase confirmations, payment receipts, and user-submitted documents in PDF, JPG, PNG, and JSON formats. Many of the exposed files included personally identifiable information (PII) such as full names, email addresses, home addresses, and partial credit card numbers.
The researcher who discovered the breach immediately submitted a responsible disclosure notice to TicketToCash.com but received no reply. Four days later, after a second notice, the database was finally secured, though not before more than 2,000 additional files had been added. The data exposure raised serious concerns about the platform’s data security practices and the potential risks to consumers whose information may now be vulnerable to scams, phishing attacks, or account takeovers.
Among the exposed documents were thousands of digital tickets for concerts, festivals, and live events, some with values reaching several thousand dollars. This level of detail could enable malicious actors to craft highly targeted phishing messages or social engineering attacks. For instance, knowing the buyer’s name, email address, and the event they’re attending could allow scammers to impersonate ticketing services or initiate fake password resets, potentially hijacking user accounts to steal or resell tickets.
TicketToCash.com facilitates ticket resales across a network of over 1,000 secondary websites. Users can list their tickets for free and only pay a commission if the tickets are sold. While the platform appears to be operational and widely used, its website offers little transparency about the company’s ownership, legal registration, or customer support structure. Attempts by the researcher to contact the company via phone and email were unsuccessful.
This incident comes amid a sharp increase in ticket fraud. A 2023 report from LendingTree found that 11% of consumers who purchased tickets from secondary or unverified sites were scammed. In the UK, ticket-related fraud surged by 529% in the past year, according to The Guardian, with victims losing an average of £110 (USD 145). With concert ticket prices at an all-time high, averaging USD 135 and often much more for premium events, stolen or counterfeit tickets remain a lucrative target for cybercriminals.
Though there is no indication that TicketToCash.com was involved in any fraudulent activity, the incident underscores the dangers of unsecured cloud infrastructure and the need for better security practices in the secondary ticketing industry.
Customers who have used the platform are advised to change their passwords, enable multi-factor authentication where possible, monitor their financial accounts, and remain alert to phishing attempts.
