An unsecured database exposed an alleged scheme that involved scammers using event ticket vendors to rip fans off and stick the vendors with the loss, according to reporting from CNET. Groupon, Ticketmaster and TickPick were all targeted in the scheme, which CNET described as such:
The fraudsters create accounts with the ticket sellers and use stolen credit card information to make their purchases. Then they turn around and resell the tickets to fans, who might not be able to use them if the fraudsters resell them multiple times or the original sale is voided.
The plan collapsed when a pair of security researchers came across an unsecured database containing some 17 million emails tied to accounts made with the three vendors, plus a number of smaller local venue websites.
“We’ve worked on many similar database breaches, and certain aspects of this one didn’t add up,” wrote the researchers, Noam Rotem and Ran Locar. After contacting Groupon with our concerns, the full extent of what we’d uncovered was revealed.”
At first, they believed they’d stumbled across poorly-secured information from a legitimate business, but soon realized something was “off” after realizing there was no website for the mailing service and the email addresses didn’t appear to belong to real people.
Upon contacting Groupon, the researchers found out that the company has been chasing the network behind the database since 2016. Groupon’s Chief Information Security Officer estimated the number of fraudulent accounts to be as high as 20,000 according to the researchers’ report published at VPNMentor.com
Groupon and Ticketmaster didn’t respond to CNET’s requests for comment.
TickPick is the only company to provide any comment for the article. Jack Slingland, Vice President of Operations, told CNET that the company is vigilant against fraud activity. Customers who purchase tickets resold through TickPick are guaranteed comparable tickets if they arrive at the venue and find they’ve been sold fraudulent ticket.