It was a good plan, as far as frauds go: rip off fans of live performances while simultaneously fleecing some of the internet’s biggest ticket vendors, such as Groupon, Ticketmaster and TickPick. The fraudsters create accounts with the ticket sellers and use stolen credit card information to make their purchases. Then they turn around and resell the tickets to fans, who might not be able to use them if the fraudsters resell them multiple times or the original sale is voided.
The well-laid plan fell apart, however, when a simple cybersecurity mistake revealed the scam. The reason: the apparent fraudsters forgot to password-protect their cloud database.
Security researchers Noam Rotem and Ran Locar last month found an unsecured database containing records of 17 million emails received by accounts made with the three ticket vendors, as well as a handful of local venues. Groupon says the records show similarities to a scam the company identified in 2016. The database is no longer online. The researchers don’t know who created the database, but believe it was used for criminal activity.
“We’ve worked on many similar database breaches, and certain aspects of this one didn’t add up,” the researchers wrote. “After contacting Groupon with our concerns, the full extent of what we’d uncovered was revealed.”
In a report published Wednesday with software review site vpnMentor, Rotem and Locar outline how they found records of emails, the email addresses and names used to buy the tickets, and other details that would make it simple to identify and remove fraudsters’ accounts from a ticket vendor’s systems. Anyone visiting the correct IP address could see the data.
The data exposure is more evidence — if any were needed — that everyone, even criminals, struggles with cybersecurity. Improperly secured databases have led to the exposure of caches that include children’s information, vast swaths of demographic data and health records. The problem usually starts when an organization misconfigures its cloud server, failing to select more private settings when it puts data online.
In this case, the data appeared to be the blueprint of a crime.
At first, Rotem and Locar thought they’d found information owned by a legitimate business, like a third-party mailing service used by multiple ticket companies. But soon they saw hints that something was off. First, they realized there was no website for the mailing service. Then they saw that the email addresses in the database didn’t appear to belong to real people.
Finally, Groupon told the researchers that the data they’d come across was similar to what they’d seen in the 2016 fraud. Almost all of the records in the database were marketing emails from Groupon, which sends frequent emails on deals of the day to users. Groupon said there were about 20,000 email addresses in the exposed data set, but the total number of emails that related to the purchase of tickets was at most 673.
Groupon declined to confirm whether it was taking any action based on the findings. Ticketmaster didn’t respond to requests for comment.
Jack Slingland, vice president of operations at TickPick, didn’t comment directly on the researchers’ findings but said the company is continually on the alert for fraud activities. He said customers who purchase tickets resold through TickPick are guaranteed comparable tickets if they arrive at the venue and find they’ve been sold a fraudulent ticket.
However, the guarantee doesn’t apply if fraudsters buy tickets from TickPick and then resell them on another ticket-selling site.