Ticketfly Says 27 Million Accounts Compromised During 'Malicious' Attack

Earlier this month, we reported of a "cyber incident" that compromised the systems of Ticketfly, a large ticket distribution service. We have now learned that roughly 27 million user accounts were compromised during the attack. The information includes names, addresses, email addresses and phone numbers; thankfully, no credit/debit card info and passwords were stolen. Billboard reports: Ticketfly's website is fully back online a week after being targeted by what it describes as a "malicious cyber attack," though its mobile app for iOS remains offline "as we continue to prioritize bringing up the most critical parts of the platform first." Following the hack, the company rolled out a network of temporary venue and promoter websites so that events, including Riot Fest and Celebrate Brooklyn, could continue selling tickets. The "vast majority" of the temporary sites are now live, the firm said. All passwords for both ticket buyers and venue/promoter clients were reset following the hack, though they found no evidence that they were accessed. "It is possible, however, that hashed values of password credentials could have been accessed," the site warned. "Hashing is a way of scrambling a piece of data, making it generally incomprehensible."

a "malicious cyber attack"

[grep+-v+'.*'+*]

That, as opposed to a benevolent cyber attack. BIG difference.

All your hashes belong to us

First it says no passwords were compromised, then admits that some password hashes may have been accessed. Your shit was compromised because you are lame, and john the ripper makes quick work of your weak fucking hashes. Are there no BOFH left in this world?

Re:All your hashes belong to us

The problem isn't the hashes, the problem is not using a salt(or a sufficiently random one). The BOFHs exist, but obviously they were not involved here. Otherwise, someone would have been electrocuted to death for this mess by now.

Re: All your hashes belong to us

I use MD2 for hashing. No hippie modern tools have support to crack it. And rot13 instead of aes

Haveibeenpwned says I’m compromised

I got an email from haveibeenpwned saying my info was in this breach. I’ve never used ticketfly. Actually, before getting the email and reading about this breach, I had never even heard of tickeyfly. I’m confused.

Re:Haveibeenpwned says I’m compromised

[GrumpySteen]

Clearly you should click on the haveibeenpwned link in that email and give them all your personal information so that they can protect you. Make sure you include all your credit cards. If you leave one out, who knows what could happen.

Found the LUDDITE!

Only LUDDITES would think a LUDDITE website is more appportant than a modern appy app app!

Apps!

Translation

"Passwords were not accessed" and "password hashes might possibly could have been somewhat accessed, but they aren't passwords" actually means "password hashes were stolen, too" and "we used MD5 to hash passwords"

Re:Translation

Exactly what I was thinking. If they don't tell me exactly how it's hashed, what algorithm, and if it's salted they might as well say the passwords were stolen too.

Alerted by Have I been pwned Before Ticketfly !!

[ripvlan]

Ticketfly has not yet contacted me. But my subscription to Troy Hunt's "Have I been pwned" sent an alert a week or so ago.

It's a WTF moment. I'd also like to see the data-dump so I can actually SEE what content the hacker grabbed.

Most critical was the description on their website announcement "offering a secure alternative." I guess previously it was an insecure product - but now they'll offer their website in another flavor.

idiots.

umm

[lactose99]

Why the hell is 'malicious' in quotes in the title. Is it an ironic malicious?