A recent hack of ticket-distribution website Ticketfly exposed more than 26 million email addresses, along with home addresses, phone numbers, and first and last names, according to the Have I Been Pwned breach notification service. The intrusion provides the latest reminder that users should provide incorrect or incomplete information to online services whenever possible. More about that later.
The breach was first reported last week by Motherboard, which said the breach was carried out by a hacker who had first offered to provide Ticketfly officials with details of the underlying vulnerability in exchange for one bitcoin, worth roughly $7,500. When the officials didnt respond, the hacker defaced the site and published the user data online, Motherboard said.
Have I Been Pwned said over the weekend that the data included 26.1 million unique email addresses, names, physical addresses, and phone numbers. It didnt include password or credit card data. In a blog post, Ticketfly officials said they were in the process of bringing the ticket service back online. Part of that effort involves working with forensic and security experts to investigate the hack and to better secure the new site against similar intrusions.
“Were rolling out a secure website solution as an alternative to your Ticketfly-powered site to meet your immediate needs,” the post said. “Weve built a secure, non-WordPress-based website solution with your existing domain, and your site will appear sometime today. Well be actively updating your site so that your events will populate and external ticketing links will work. Theres no action for you to take, and well keep you informed as our longer-term website strategy evolves.”
The Ticketfly breach is a good reminder that people should avoid providing services with personal information whenever possible. Ticketfly requires that users provide a full name, billing address, and phone number when using a credit card to buy tickets. But like many services, Ticketfly didnt check the validity or completeness of most of the information supplied. That made it possible for people to give incomplete addresses and names and list non-existent phone numbers such as 555-1212 and still order tickets.
Some sites are more lenient with incomplete or incorrect information than others. A surprising number of sites will accept completely fictitious addresses such as 123 Any Street. Others will accept a small portion of a correct billing address such as the number portion and the first three or four letters of the street name. Users typically must experiment when using a new site or service to see how much incorrect or incomplete details it will accept.
People should also consider using a separate email address for services they dont particularly trust to prevent more sensitive email addresses from becoming widely known. Another measure users of Gmail and some other services can take is to append a unique string containing a plus sign and a domain to an existing email address. For instance: [email protected], [email protected], and so on. Its never a bad idea to sign up with Have I Been Pwned to get a notification when one of your email addresses has been exposed.
Although the Ticketfly breach didn't expose password data, many other breaches do, and in many cases weak protections make it trivial for hackers to obtain the underlying plain text. Users should always use a long, randomly generated password thats unique for each site. Password managers are one of the easiest ways to accomplish this.