Mystery database left open turns out to be massive Groupon fraud ticket fraud ring

Mystery database left open turns out to be massive Groupon fraud ticket fraud ring

Yes, turns out people still use this voucher biz – who knew?


We have a new twist on the "researchers find unprotected public-facing cloud-hosted database" story, as one recently uncovered archive turned out to be at the heart of a years-long fraud operation.


The team at VPNmentor said they were confused when first encountering the mystery database that contained details on scores of accounts from ticket purchasing sites. The profiles, all seemingly used for small, independent theaters and music venues, contained payment details for around 17 million ticket purchases.


"The breach seemed to give access to personal details of anyone purchasing tickets from a website using Neuroticket," explained the VPNmentor team, headed up to Noam Rotem and Ran Locar, on Wednesday.


"Initially, we believed this vulnerability compromised customers on these websites."


Even more curious, when the team tried to track down the owners of the exposed email addresses, they got few responses, indicating the vast majority were fake accounts.


When efforts to tie the records to a breach of Neuroticket, Ticketmaster, or Tickpick all resulted in dead ends, the team noticed that around 90 per cent of the records also referenced Groupon.


When the VPNmentor crew got in touch with Groupon, they had their breakthrough. It turns out the emails had all been used to purchase tickets for gigs, plays and concerts that were on offer through Groupon deals. What's more, Groupon immediately recognized the purchases as being the work of a fraud ring it had been tracking since 2016.


The fraudsters in this case used an army of fake accounts and stolen credit card numbers to make bulk purchases of tickets being offered at ..