Ticket Resale Platform TicketToCash Left 200GB of User Data Exposed

A misconfigured, non-password-protected database belonging to TicketToCash exposed data from 520,000 customers, including PII and partial financial details.

Cybersecurity researcher Jeremiah Fowler recently discovered a 200GB openly accessible misconfigured database containing over 520,000 records. This exposed database belonged to customers of TicketToCash, a platform for reselling event tickets.

According to Fowler’s report, shared with Hackread.com, it isn’t just about names and email addresses; the data exposure includes partial credit card numbers and physical addresses linked to concert and event tickets.

Additionally, the exposed data included copies of tickets and documents containing Personally Identifiable Information (PII) such as names, email addresses, home addresses, and credit card numbers.

The database’s name suggested it held customer files in various digital formats like PDF, JPG, PNG, and JSON. When Fowler looked at some of these files, he saw many tickets for concerts and other live events, proof of ticket transfers between people, and screenshots of payment receipts that users had submitted. Some of these documents showed partial credit card numbers, full names, email addresses, and home addresses.

Internal clues within the files and folders indicated that the data belonged to TicketToCash, an online platform where people can sell their event tickets for concerts, sports games, and theatre shows. The company states that it lists tickets across a network of more than 1,000 other websites.

What’s particularly troubling is the apparent lack of initial response from TicketToCash after being notified. According to Fowler’s investigation, “I immediately sent a responsible disclosure notice to TicketToCash.com, but I received no reply, and the database remained open.”

The database remained publicly accessible until a second notification was sent after which the company secured it, but the files remained exposed in the four days between Fowler’s first and second attempts.

Fowler warns that if this information somehow got into the wrong hands, it could be used for fraudulent purposes like phishing, identity theft, or the creation and resale of fake tickets. Fowler highlighted that “PII and financial details can be valid for years,” meaning the consequences of this leak could be long-lasting. That’s also why the Ticketmaster data breach received widespread media coverage.

He also referenced a 2023 report indicating that a significant percentage of people (11%) buying tickets from secondary markets have been scammed, and noted a dramatic 529% increase in ticket scams in the UK “costing victims an average of £110 ($145 USD).”

It’s unclear whether TickettoCash directly owned and managed this database or if it was handled by a third-party contractor, how long it was exposed before Fowler found it, and if anyone else might have accessed the information during that time.

Nevertheless, Fowler’s findings highlight a critical responsibility for platforms handling sensitive user data, especially in high-value markets like event tickets. TicketToCash users must remain cautious of phishing attempts, monitor financial accounts, update passwords and switch to multi-factor authentication.