A ticketing website leaked over 5000 users' data—then it was all over Facebook

A major data breach involving the ticketing website for an upcoming concert in Dhaka titled 'Magical Night 2.0' has exposed personal information of more than 5000 concert-goers, including names, emails, phone numbers, and ticket details. The breach was discovered by a developer who revealed that the leak occurred through vulnerabilities in the website of the ticketing partner, Ticket Tomorrow. The concert, organised by Triple Time Communications, is scheduled for November 29 in Dhaka with prominent Pakistani singer Atif Aslam headlining the event.

The leaked folders obtained by The Daily Star has at least 5000 PDF-format tickets with detailed contact information of individual concert-goers. The leaked information also includes data such as ticket prices and zone classifications (front zone, general zone, magical zone). The developer responsible for uncovering the breach made the decision to go public by creating a Google Drive link with all the compromised data, and posting it on Facebook, making the data accessible to all.

At the time of writing this report, the ticketing website for the event showed that all tickets for the event were sold out. 

The Daily Star was able to independently verify the accuracy of the leaked information by cross-checking details with multiple concert-goers, who confirmed that their contact information had indeed been exposed. Additionally, The Daily Star was also able to inspect and confirm the security weakness in the Ticket Tomorrow website, as described by the developer. The Daily Star has chosen not to disclose any specific details from the leaked information, including the public Google Drive link, in order to safeguard the privacy of those affected.

In a public post made from a newly created Facebook account, the developer also revealed that they had full access to the entire Ticket Tomorrow system, stating, "I had access to their entire site. If I wanted, I could have edited, deleted, or even generated tickets for the event." They also alleged that the event's organisers have been misleading the public about ticket availability. According to the developer, the organisers falsely claimed that the event was sold out. "They posted 'sold out', but I can confidently say the tickets are not sold out," the developer explained. "I deliberately forced them to stop selling tickets, but they will resume ticket sales later. Right now, they are just buying time for damage control."

The developer behind the public release of the data has not responded to requests for comments. Multiple attempts were also made to contact representatives and spokespersons from Triple Time Communications, but requests for comments were not responded to.