Ticketfly an event ticketing company since it was established in 2008 grew rapidly into a genuine challenger in the ticketing business. The company was first by streaming service Pandora in 2015 and then again by a competitor Eventbrite in 2017. The site has millions of registered users and contain personal data of them.
It was recently hacked and personally identifiable information of around 26 million customers and employees was taken. Eventbrite was however unable to confirm that number as the company is still actively investigating the incident. The site has become offline for the time being for extra caution.
The hacker demanded 1 Bitcoin (currently about $7,600) from Eventbrite in exchange for information about how the attack went down. The cyber security researchers believe that the attackers could gained the access by exploiting a vulnerability in the Ticketfly’s WordPress-based website. Hackers often scan WordPress sites in search of evidence of third-party plugins that can be attacked.
Automattic, the company behind WordPress, provides regular patches for its own software, even then they can’t ensure that users install them in a timely manner. Third-party plugins are also beyond its control and it’s all too common that those plugins get forgotten and wind up woefully out-of-date.
It was confirmed that the attacker did not gain access to user passwords, and payment card details have also not been compromised. Even then it is alarming that private information on 26 million individuals has gotten into the hands of a malicious hacker and that a lot of that information may be out already.