Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained 520,054 records belonging to an event ticket resale platform.

The publicly exposed database was not password-protected or encrypted. It contained ​​520,054 records with a total size of 200 GB. The name of the database indicated that it contained customer inventory files in PDF, JPG, PNG, and JSON formats. In a limited sampling of the exposed documents, I saw thousands of concert and live event tickets, proof of ticket transfers, user-submitted screenshots of receipts, and more. Some of these documents contained partial credit card numbers, full names, email addresses, and home addresses.

Internal files and folder names indicated the records belonged to Ticket to Cash — an online ticket resale platform. I immediately sent a responsible disclosure notice to TicketToCash.com, but I received no reply, and the database remained open. It took several days and a second notice before the database was finally restricted from public access and no longer accessible. In the time between my first responsible disclosure notice and the second one (four days later), the number of exposed records had grown by over two thousand files.

Although the records appeared to belong to Ticket to Cash, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.

TicketToCash.com is an online ticket resale platform that enables individuals to list and sell entry passes for concerts, sports matches, and theater plays. The company claims to offer tickets across a network of over 1,000 resale websites. Users can create an account and list their tickets for free; once the tickets are sold, Ticket to Cash deducts a commission. If the tickets are not sold, the seller loses the full value of the ticket.

According to reviews, payments are processed via PayPal and can take some time after the event concludes. Getting in touch with the company was difficult in my experience too — I was not able to reach anyone by phone and did not receive a reply to my initial responsible disclosure notice.





The exposure of names, emails, some home addresses and partial credit card numbers have serious potential privacy risks that remain long after a concert is over. PII and financial details can be valid for years, and suspicious or fraudulent activity may not happen immediately after that information falls in the wrong hands. In an era where buying tickets online is fast and convenient, it has also simplified the way ticket scams and fraud operate.

According to a 2023 report by LendingTree on the high ticket costs, 11% of those surveyed who bought tickets from secondary markets or questionable sites were scammed. In the UK, The Guardian reported that ticket scams increased a staggering 529% over the past year, costing victims an average of £110 ($145 USD). I am not saying or implying that Ticket to Cash is engaged in this type of activity and only presenting a risk scenario where leaked tickets could potentially be used to scam ticket buyers.

As live music events surged in popularity following the pandemic, criminals have also taken the opportunity to scam fans who are desperate to see top musical acts, sports, festivals, and other public events. With ticket prices reaching a new high, ticket scams are profitable. The average price of a concert ticket in 2024 was estimated to be $135 USD, but many of the documents I saw in the database were in the thousands of dollars. Knowing the PII of individuals who purchase expensive tickets could potentially make them a high value target for criminals.

Any data exposure that contains Personally Identifiable Information (PII) could potentially be used for a wide range of malicious activities. Identity theft is the biggest concern in cases where more sensitive information (such as SSN, DOB, etc.) is exposed. With only names, email or physical addresses, and partial financial data exposed, scammers could attempt to piece together a more complete profile of their victims and pursue a long term exploitation strategy.

Phishing and social engineering is far easier when the criminals have insider knowledge about the victim that is not public. In this case, knowing email addresses, having proof-of-purchase records, and reviewing tickets with locations and dates could provide enough context for an attacker to send convincing phishing emails or SMS messages. Most ticket providers have their own internal platforms where customers can create accounts and manage, sell, or transfer their tickets. If criminals used phishing or social engineering to gain access credentials to the user’s accounts they could take over the account on the ticket provider’s platform. Account takeovers are a serious concern if the ticket provider has weak security protocols and allows unauthorized access to account details, tickets, or other personal information.

Here is an example of how this could happen: Cybercriminals could attempt to carry out targeted attacks on specific individuals using known email addresses associated with concert ticket purchases. The best way to do this would probably be to target the email itself and gain unauthorized access to the account. This can be done in a variety of ways, such as phishing, credential stuffing, or exploiting weak or previously compromised passwords.

Once criminals gain access to the email account, they could intercept any ticket-related communications. They could also initiate a password reset on the ticketing platform, which would send any reset link to the compromised email. If successful, the attackers could potentially log into the ticketing account, download the digital tickets, or transfer them to a third-party for resale. This would leave the original ticket holder locked out and potentially unable to attend the event.

When reviewing a sample of the exposed documents, I personally saw tickets for several thousand dollars that were valid for up to 6-7 months in the future. This could hypothetically provide the financial incentive and enough time for a sophisticated attack on the account, counterfeiting, or other fraudulent activity.

I am not saying that Ticket to Cash’s customers are currently at risk of this type of attack. I am only providing a hypothetical scenario of how criminals could potentially attempt to steal tickets using limited information, such as an email and knowledge of the concert and ticket platform where they were originally purchased.

I would recommend that individuals who believe they may have been affected by a data breach be vigilant:

  • Monitor any associated financial accounts to identify any unusual or suspicious activity. It is also a good idea to periodically check credit reports to see if any accounts have been opened in your name.
  • Update all passwords for the online accounts that may have been compromised. When possible, use multi-factor authentication (MFA) on accounts that have personal or sensitive information. This can add an additional layer of security and prevent unauthorized access in cases where the password has been compromised.
  • Be cautious of phishing attempts, especially emails or messages referencing recent ticket purchases or payment issues. Verify odd messages using official communication channels. Report suspicious activity to your bank, credit card provider, and the service provider if something doesn’t seem right or you suspect fraud.

It is not known who owns Ticket to Cash, as the information is not available online and I received no response to my questions by email. Despite the poor communication the company appears to be moving a large number of tickets. So, I am not questioning the legitimacy of their services.

Having said that, I personally believe that when a company requires customers to provide their personal or financial information, there should be some level of transparency — especially when the products or services it provides can cost thousands of dollars. Most companies will specify important details such as where the business is located, legal registrations, key leadership, etc. As a general rule, I would be wary of anonymous websites that offer only an email and a phone number.

Cybercriminals are always enhancing their methods and finding new ways to trick ticket buyers out of their money and their chance to attend important events. I would recommend using official ticket sources when possible and be skeptical of unbelievably cheap offers that seem too good to be true. In any transaction, caution and research can help avoid being scammed.

I imply no wrongdoing by Ticket to Cash, or its employees, agents, contractors, affiliates, and/or related entities. I do not claim that any internal, customer, or user data was ever at imminent risk. The hypothetical data-risk scenarios I have presented in this report are strictly and exclusively for educational purposes and do not reflect, suggest, or imply any actual compromise of data integrity. It should not be construed as a reflection of or commentary on any organization’s specific practices, systems, or security measures.

As an ethical security researcher, I do not download the data I discover. I only take a limited number of screenshots as necessary and solely for verification and documentation purposes. I do not conduct any activities beyond identifying the security vulnerability and notifying the relevant parties. I disclaim any and all liability for any and all actions that may be taken as a result of this disclosure. I publish my findings to raise awareness of issues of data security and privacy. My aim is to encourage organizations to proactively implement measures to safeguard sensitive information against unauthorized access.