Taylor Swift: concert ticket theft with credential stuffing

Cyber criminals were successful in trying out usernames and passwords from data dumps on the darknet, known as credential stuffing. This enabled them to gain access to user accounts at ticket seller CTS Eventim. Their target was concert tickets for Taylor Swift's "The Eras" tour.

The attackers wanted to turn these apparently coveted tickets into money. Eventim explained in a statement that the "number of unauthorized resales [...] was in the low double-digit range". Such transactions could even be reversed, as the "abusive transactions" could be identified through the digital tickets. Eventim was also able to secure the money from buyers of the stolen tickets and refund it.

Eventim calls in prosecutors

The company has called in the police. The "passwords of accounts that we classify as potentially at risk" have been reset. User accounts have not been blocked, but ticket sales for the Taylor Swift tour have been temporarily suspended.

Eventim gives clear advice: "As email and password data was used that has very likely been in circulation for some time, we recommend that users first change their email password and then the password for their customer account." Although credential stuffing also involves testing other passwords for usernames, this is the most important and obvious tip for those affected. Identity and access management service provider Okta recently warned that these attacks have been on the rise for some time.

As only digital tickets are used, Eventim has recognized the theft attempts and "prevented them as far as possible". The company contacted its customers directly and also provided advice "on the use of secure passwords when shopping online". At the time of reporting, Eventim was unable to say in an interview with heise online whether the introduction of multi-factor authentication is planned. This could have made unauthorized access to the accounts even more difficult or even prevented it.

(dmk)