Cybersecurity researcher Jeremiah Fowler identified and reported a non-password-protected database associated with a platform for event ticket resale. The platform in question is Ticket to Cash, an online ticket resale service that allows users to list and sell tickets for live events. 

In total, there were 520,054 records exposed. Fowler sent a disclosure notice to the organization but received no response. The database remained open for four days, so Fowler sent a second notice. Only then was the database restricted from public access. By then, more than 2,000 additional files were added to the formerly-exposed database before it was restricted. 

Currently, it is unknown if Ticket to Cash owns and manages the database director or if this is done by a third-party contractor. It is also unknown how long this database was exposed and if any malicious actors accessed it before Fowler’s discovery. 

Exposed documents include, but are not limited to: 

• Live event tickets
• Receipt screenshots
• Proof of ticket transfers

In these documents, personally identifiable information (PII) could be found, such as full names, email addresses, home addresses, and partial credit card numbers. If exposed, this information could potentially leave individuals vulnerable to phishing attacks, identity theft, or financial fraud. Furthermore, tickets could be sold multiple times, stolen, or used as counterfeiting templates.