One week after suffering a hack that took its website and services offline, events ticketing company Ticketfly revealed Thursday just how bad the data breach was, and it certainly doesn’t look great. According to the company, the personal information of 27 million accounts—including ticket buyers and venue operators—was accessed by a hacker.
The stolen information includes names, addresses, email addresses and phone numbers of Ticketfly customers. The company said passwords and financial information were not accessed, though Ticketfly conceded that it is possible that “hashed values of password credentials could have been accessed.” As a precautionary measure, the company reset the passwords of all buyers and clients on June 2nd.
Here’s the full statement provided to Gizmodo by a Ticketfly spokesperson:
Last week Ticketfly was the target of a malicious cyber attack. In consultation with third-party forensic cybersecurity experts we can now confirm that credit and debit card information was not accessed. However, information including names, addresses, email addresses and phone numbers connected to approximately 27 million Ticketfly accounts was accessed. Upon first learning about this incident we took swift action to secure the data of our clients and fans. We take privacy and security very seriously and regret any disruption this has caused. We’re extremely grateful for the patience and support of the Ticketfly community.
The exposed data disclosed by Ticketfly appears to match the information that the hacker, who goes by IsHaKdZ, circulated after the breach. Have I Been Pwned, a service that alerts people if their email address was included in a data breach, reported receiving more than 26 million records exposed in the Ticketfly hack. The data was described as containing “email addresses along with names, physical addresses, and phone numbers.” (You can check to see if your email was included in the Ticketfly breach on Have I Been Pwned.)
IsHaKdZ told Gizmodo last week he was in possession of a “complete” database of customer information but didn’t disclose anything further. He did not respond when contacted Thursday and asked if the data disclosed by Ticketfly was the extent of the data he is in possession of.
IsHaKdZ seems to have mostly gone dark since carrying out the hack, which he claims to have executed by exploiting a vulnerability in Ticketfly’s site that allowed him to gain access to user data. The hacker said he tried to alert Ticketfly of the vulnerabilty—while also attempting to extort one bitcoin out of the company for “protection”—but the company didn’t take the warning seriously.
In addition to exfiltrating user information, IsHaKdZ also defaced the Ticketfly website and forced it offline for nearly a full week. The hack also knocked some of Ticketfly’s operations offline, making it difficult for ticket buyers to access their tickets online. Venues were provided a physical list of people who purchased tickets and were made to manually check in each person for an event.
The site is back online, as is the company’s product called Ticketfly Backstage, which provides a suite of services to venues including ticket sales. The company’s iOS app, as well as a number of other tools including Promoter and Fanbase, remain offline.