Ticketfly Data Breach Exposes 27 Million Accounts

Ticketfly announced that a data breach disclosed on May 31 didn't expose credit and debit card information. That's the good news--the bad news is that the names, addresses, email addresses, and phone numbers connected to 27 million accounts were compromised by the breach. (The company noted that some people have multiple accounts, which means the "number of individuals impacted is likely lower" than that figure.)

Information about who hacked Ticketfly and why has not been released. The company said it's working with "third-party forensic cybersecurity experts" to investigate the issue, but odds are good that we'll never know who stole this data, assuming Ticketfly and its partners can attribute the attack to someone in the first place. Most companies also try to put data breaches behind them as soon as it's possible to do so.

Ticketfly said that user passwords weren't compromised, but it still forced a password reset for all accounts on June 2 just to be on the safe side. The company also recommended that anyone who uses the same password across multiple websites--which is far more people than it should be--change their password on those sites as well. That's a common security precaution; just make sure the new password is unique this time.

Several of Ticketfly's websites were taken down while the company investigated the breach, but they're all back online now, and the company said that any ticket purchases shouldn't have been affected by the service outage.

Ticketfly wasn't the only company to reveal it had suffered a data breach in the last week. MyHeritage, a popular ancestry website, said that everyone who signed up for its website before October 2017 had their email addresses and hashed passwords stolen. That's 92,283,889 people, according to the company, which means the breach dwarfs Ticketfly's in terms of the sheer number of people who were affected by it.

Yet it seems that MyHeritage appropriately protected its users' data. The company said that "sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security." It also doesn't handle payments itself--it relies on PayPal and other payment processors--so users' financial information is safe.

MyHeritage said that it's accelerated work on its two-factor authentication login system and set up a 24/7 security customer support team in response to this incident. Like Ticketfly, the company is also working with "a leading, independent cybersecurity firm" to investigate the breach. MyHeritage also specifically noted that it plans to comply with GDPR rules that require it to share information with the proper authorities.

Despite the numbers involved in these breaches--27 million and 92 million people, respectively, are nothing to sneeze at--the companies' responses show just how practiced many businesses are with incident responses. Data breaches like this are no longer uncommon; what matters is how companies limit the information hackers can steal and how they respond to the breaches after they occur. Welcome to the new normal.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.