Photo Credit: Sinousxl
Ticketmaster experienced a high-profile hack earlier this year. Now, countless people are seeing their tickets transferred to other accounts—with no verification step to prevent the instant transfer process. Why does Ticketmaster have 2FA for sign-in, but not ticket transfer?
The company disclosed the data breach on May 15, stating that more than 40 million users were impacted. While no login information or passwords were stolen in the hack, enough personally identifiable information was taken to help criminals build a data profile on potential targets. Leaked data included names, email addresses, payment information, and past ticket purchases.
Digital Music News has reported on numerous people who have since had their tickets taken directly out of their account. Days or weeks before a concert, a stranger breaks into a person’s Ticketmaster account and instantly transfers any tickets to another foreign party—lightning quick and without a way to counter the transfer.
That’s what happened to Ignacio Rodríguez-Viña, who reached out to Digital Music News to share his story. Ignacio purchased tickets to see Joaquin Sabina next year back in September 2024. He says the tickets sat in his Ticketmaster account just fine until November 7. “I started receiving tens of emails into my Gmail account asking me to confirm my subscription to different websites and services,” Ignacio shares.
“Whoever hacked my account wanted to send me so many emails that I did not realize that my tickets were being transferred. Fortunately, I was working in front of my computer and immediately realized that among those emails were two emails stating that my tickets were being transferred to two persons I don’t know and two other emails saying that my transfer had been accepted.”
Notice in these images that the ticket transfer notification email is dated 5:21 PM, a minute after the acceptance email (5:20 PM). So the transfer acceptance happened before the notification of the transfer even hit Ignacio’s Gmail account. Even if he had been on top of this, he could not have stopped the transfer. A simple 2FA verification (by phone or email) could prevent ALL of these instances of unauthorized transfers. It seems irresponsible of Ticketmaster not to offer this option—transferring tickets without 2FA should be opt-in, not opt-out.
Ignacio says he immediately reached out to Ticketmaster’s customer service to report the incident—both by calling and emailing. Ticketmaster’s customer service asked him for more information including his name, address, and the last four digits of the credit card used to purchase the tickets. “They told me that they would come back to me within three to give days. I have not heard back from them despite the multiple emails that I have sent them. I also asked them to block my tickets so that they cannot be sold again,” he shares.
Sold again. That’s a key piece of information here. Once transferred to someone else, the tickets are back on the (reseller) market. The fraudster can resell the tickets to another unsuspecting buyer (while Ticketmaster gets a cut from its resell platform) at face value and reap the value of the ticket in profit. Ticketmaster could easily stop this by requiring two-factor authentication (either by phone or email) to confirm the ticket transfer process.
Digital Music News reached out to Ticketmaster to inquire why it does not offer 2FA for transfers, but received a boilerplate reply. “Overall, our digital ticketing innovations have greatly reduced fraud compared to the days of paper tickets and duplicated PDFs,” a Ticketmaster spokesperson told Digital Music News.
“Having that digital history is also how we are able to investigate the situation and restore fans’ tickets in nearly every case, with most getting confirmation that their tickets were recovered in 48 hours,” the spokesperson continues.
Securing Your Ticketmaster Account
Since Ticketmaster does not provide 2FA for ticket transfers, any time you buy a ticket from them you are susceptible to this scam. Here’s how to protect yourself when buying tickets worth thousands of dollars from an organization that lacks proper security to prevent unauthorized transfers.
Create a unique Ticketmaster.com account password. Never re-use a password and try to choose a password that is not easy to guess. For example, ‘ilovetaylorswift’ is a terrible password for a Swiftie to secure their account. Use a password generator to help you create a secure, never-before-used password.
Dedicated hackers create data profiles on potential targets, including other leaked passwords. They use credential stuffing attacks to find password re-use instances, granting easy access to any account where a password was re-used. Setting a unique password that was never-before-used and associated with you can stop this. The password used for your Ticketmaster account should never be the same password as your personal email account. Use a password manager if you cannot remember multiple passwords.
Did you have Ticketmaster tickets taken out of your account? You can reach out to me at my Digital Music News email address to report the theft.