Ticketfly, one of the larger ticket distributors in North America, has suffered a breach, and the site has been down for more than a day as of this writing. A report claims the site’s hacker has stolen personal data from Ticketfly customers and employees.
A screenshot posted by Twitter user @MichaelStenberg reveals what could be seen on the Ticketfly homepage temporarily, with a message stating, “Ticketfly HacKeD By IsHaKdZ. Your security down im not sorry.” Not long after that, Ticketfly tweeted that it was indeed the victim of a cyber incident, and pulled its site offline.
Following recent site issues, we determined that Ticketfly has been the target of a cyber incident. To protect our clients and fans, and to secure the website and related data, we have temporarily taken all Ticketfly systems offline. We’ll keep you updated.
— Ticketfly (@ticketfly) May 31, 2018
Since then, Ticketfly has posted an update. The company doesn’t have a “specific timeline” as to when its site might be back online, and urges users who purchased tickets recently to bring a printed copy of their tickets to venues. Further complicating matters, Ticketfly notes that “If you were not the original ticket purchaser, you will likely need all three of the following: original credit card used to purchase the ticket; a photocopy of the original buyer’s ID; and a note from the original buyer authorizing you to pick up the ticket(s).”
In regards to stolen personal customer data, Ticketfly only made a typical corporate statement noting that the incident is under investigation. But Motherboard claims that it had an email conversation with the hacker, who reportedly asked for one bitcoin to share details with Ticketfly regarding a vulnerability on the site, and did not get a reply.
The hacker pointed Motherboard to a number of allegedly hacked files, including “several CSV spreadsheet files containing what appear to be personal details of Ticketfly customers and employees, including names, home and email addresses, and phone numbers.”
Motherboard said each of these spreadsheets contained “thousands of names,” and they also claim they were able to independently verify “the personal details of six users” — which certainly makes it appear that real data was actually stolen in the hack.