Hackers have breached Coachella’s website and stolen usernames and personal information from up to 950,000 accounts. No financial information was accessed, according to an email sent to users by the company that runs the festival, but account holders’ names, shipping addresses, email addresses, phone numbers, and dates of birth have been compromised.
This information may now be circulating on the dark web. Motherboard reports that a vendor was selling the data of 950,000 accounts on dark web marketplace Tochka for $300.
The website was able to confirm that the information belonged to Coachella users, but it couldn’t independently verify that they were the users who were recently hacked.
Passwords and bank details unaffected
Goldenvoice, the festival promoter behind Coachella, did not respond to the claim that users’ information is for sale, but it did email account holders to confirm the breach: “We recently discovered that unauthorized third parties illegally gained access to [information] provided to Coachella. We have confirmed that no user passwords were stolen.”
There was also no loss of financial information – unlike last year’s breach of The Madison Square Garden Company (MSG).
The MSG breach involved hackers gaining unauthorized access to credit card information used at five venues run by the company (Radio City Music Hall, Beacon Theatre, The Chicago Theatre, The Garden, and The Theater at MSG). The company declined to say how many people were affected.
The threat for Coachella account holders seems much lower than the MSG breach, but, as Goldenvoice wrote in its email, the leaked information still leaves users vulnerable to phishing attacks.
“Please remember that Coachella will never solicit personal information or account information from you via email,” Goldenvoice wrote. “Please exercise caution if you receive any emails or phone calls that ask for such information, or direct you to web sites where you are asked for personal or financial information. Festival ticketing purchase accounts were not affected by this incident.”
The ticket buying process does not go through Coachella’s website; it is handled by Elevate’s festivalticketing.com. Coachella.com only hosts news, forums, a customizable line-up, and the ability to activate wristbands. Still, the personal information required to sign-up could be all a cyber criminal needs to attempt an attack.
Subscribe to the Daily Sentinel for updates on this story and all the latest cybersecurity news.