An unprotected and unencrypted database was recently found online, exposing sensitive information to the public. This database held over 520,000 records and took up 200 GB of storage. From its naming structure, it appeared to store customer-related files in formats such as PDF, JPG, PNG, and JSON. A review of a small portion of these leaked documents revealed thousands of concert and event tickets, evidence of ticket transfers, and user-uploaded screenshots of receipts. Alarmingly, some files also included partial credit card details, full names, email addresses, and home addresses.

Further inspection of folder and file names indicated in the data breach strongly suggested that these records belonged to Ticket to Cash, an online platform that allows users to resell tickets for concerts, sports events, and theater shows. After spotting the leak, the researcher promptly sent a warning to TicketToCash.com. Unfortunately, there was no immediate response, and the database remained publicly accessible. It was only after several days and a second alert that the database was finally secured.

While the exposed records are linked to Ticket to Cash, it remains unclear whether the database was directly maintained by the company or by a third-party service provider. It’s also unknown how long the database had been publicly exposed or whether anyone else accessed the information before it was locked down. Only a thorough internal investigation could confirm the extent of the breach and detect any suspicious activities.

TicketToCash.com operates by letting users list their tickets across a large resale network of over 1,000 partner websites. Sellers can post tickets without upfront costs but pay a commission once a sale is made. If the ticket doesn’t sell, the user loses the full ticket value. According to customer feedback, payments are typically handled through PayPal, though they are often delayed until after the event concludes. My own attempts to reach the company for comment were unsuccessful, both by phone and email.

How Customers Can Protect Their Personal Information After The Breach:

  • Watch Your Accounts: Regularly check your bank and credit card statements for unusual or unauthorized charges.
  • Change Your Passwords: Update the password for your TicketToCash account (if you have one) and any other sites where you might have used the same login details.
  • Enable Two-Factor Authentication (2FA): Wherever possible, add an extra layer of security to your online accounts.
  • Be Alert for Phishing: Look out for suspicious emails or messages pretending to be from TicketToCash or other services, especially those asking for personal info.
  • Consider a Credit Freeze or Fraud Alert: If your personal data was compromised, placing a freeze or fraud alert on your credit reports can help prevent identity theft.
  • Back Up Important Files: If you’ve stored sensitive ticket or receipt info online, consider keeping secure backups in encrypted formats.