After briefly being hijacked by a hacker Thursday, the website for event ticketing company Ticketfly has been offline for more than 24 hours as the company investigates a potentially serious data breach that compromised “some client and customer information.”
The company offered the first update on the situation Friday, and things aren’t looking great. On a support site, Ticketfly states that it is “investigating a cybersecurity incident” and its website and other services will be inaccessible for the time being. No timeframe has been provided as to when Ticketfly’s operations will return to normal.
This whole unfortunate incident started late Wednesday night when people started to notice some suspicious activity coming from Ticketfly. The Ticketfly website had been defaced with an image of V from the film V for Vendetta—a standard pulled from the hacker stock art collection—and a message that read, “Ticketfly HacKeD By IsHaKdZ. Your Security Down im Not Sorry.”
With these types of incidents, it’s often hard to tell just how fucked the victim of the hack is. It’s possible for an attacker to vandalize a site without doing any real damage to the behind-the-scenes infrastructure. Unfortunately, in the case of Ticketfly, the breach appears to be far worse than just the digital equivalent of graffiti.
The apparent hacker, going by IsHaKdZ, told Gizmodo via email that he found a vulnerability in the Ticketfly website and attempted to report it to the company. Motherboard reported seeing email conversations purportedly between the hacker and Ticketfly employees. The hacker said he “asked them 1 bitcoin for protection,” and when he didn’t receive it, he exploited the vulnerability.
According to IsHaKdZ, he is in possession of a “complete” database containing sensitive information that he stole from Ticketfly. According to Motherboard, the hacker has several spreadsheet files that appear to contain personal information about thousands of Ticketfly customers and employees of venues that use the service. The database includes names, home addresses, email addresses, and phone numbers.
IsHaKdZ is threatening to release another database, apparently labeled “backstage.” The hacker hasn’t provided any indication as to what the files might contain.
Ticketfly hasn’t disclosed what information may have been accessed by the hacker, but it has conceded that at least some data has been stolen. All the company has publicly said so far is that “some client and customer information” is believed to be compromised.
A spokesperson for Eventbrite, Ticketfly’s parent company, told Gizmodo the following regarding the incident:
We’ve determined that Ticketfly.com has been the target of a cyber incident. Out of an abundance of caution, we have taken all Ticketfly systems temporarily offline as we continue to look into the issue. We realize the gravity of this decision, but the security of client and customer data is our top priority. We are working tirelessly, and in coordination with leading third party forensic experts, to get our clients back up and running.
The hack is bad all on its own, and Ticketfly is going to have to do some explaining to the customers and venues that it allowed to be exposed by the apparent vulnerability, but the company has another pressing issue to attend to as well: the fact that its primary operations have been disrupted.
Ticketfly is a ticket purchasing platform. Venues host events and allow people to purchase tickets through Ticketfly. With the site down, tickets for upcoming events can’t be digitally accessed by customers or verified by the venue. For the time being, Ticketfly is planning on supplying venues with a printed guest list to check in each person who purchased a ticket for the show.
From the sounds of it, it’s going to be quite the hassle. Showgoers are expected to have a photo ID ready to go at the door. If the person attending the show didn’t buy the ticket, they’ll have to bring the credit card used to make the purchase, a photocopy of the buyer’s ID, and a note from the buyer authorizing the person to pick up the ticket.
Individual venues may handle the issue differently, and Ticketfly has recommended venues use social media to let ticket buyers know what they’ll need to get in the door. Regardless, venue operators will likely be dealing with some pissed off patrons through no fault of their own.
Update, June 2nd, 2:40pm: A spokesperson for Ticketfly provided the following update on the situation:
In consultation with leading third-party forensic and cybersecurity experts, we are in the process of bringing the Ticketfly ticketing system back online with the security of our clients and fans top of mind. We are grateful for the outpouring of support our community has shown us while we continue to work through this cyber incident.