On Thursday of last week, Ticketfly, the popular online box office, received a bit of a makeover. Their website, rather than directing users to concerts and events of their choosing, was decorated with the titular character from V for Vendetta, a British anarchist opposing a fictional fascist government. Along with the character were the words, “Ticketfly HacKeD By IsHaKdZ [sic]” followed by “Your Security Down im not sorry. Next time I will publish database backstage [sic].” The message also included the hacker’s email address. Twitter user @MichaelStenberg was able to capture a screenshot of the home page before it was taken down.
As this is written, the majority of the site remains offline, but reportedly Ticketfly is bringing systems back online for some of their clients. IsHaKdZ, as the hacker is known, has not been shy about their attack. In a conversation with Mashable, the hacker claimed to have warned Ticketfly of a vulnerability in its website and requested compensation to fix it.
“I asked them 1 bitcoin for protection [sic]. But I did not receive a reply from them,” the hacker said in an email. Along with their statement, IsHaKdZ also shared a large directory of spreadsheet files that seemed to contain the personal data of Ticketfly customers and employees. Mashable claims that they confirmed the authenticity of some of the data. As of right now, however, no credit card numbers or passwords have been shared, but the hacker has threatened to post more data, presumably if their demands are not met.
Eventbrite, the company that owns Ticketfly, told The Washington Post that an investigation into the breach is ongoing. They did confirm that “some customer information has been compromised as part of the incident, including names, addresses, emails, and phone numbers of Ticketfly fans.” Have I Been Pwned?, an independent website that tracks data breaches, reported that the hack affected over 26 million users. Eventbrite, on the other hand, could not confirm that number: “It’s critical that the information we share is accurate,” spokeswoman Gemma Pollard told The Washington Post. “We are actively working with a team of forensic and cybersecurity experts. Cyber incidents are unique, and the investigations typically take time.”