Ticketfly continues to make progress bringing its platform online, following a devastating “cyber incident” that ground the entire platform to a halt last week and caused several days of outages across North America.
As cyber and forensic experts examine the attack, the vulnerabilities exploited by the hacker are starting to come into focus. The dominant theory is that the hacker gained access to Ticketfly through one of the 400 to 500 WordPress sites the company created for its many venue, promoter and festival clients. The content management system (CMS) is one of the most popular platforms on the web — Amplify’s Media’s site relies on WordPress (please don’t hack us bro). The CMS is easy to use and the wide availability of plugins and customizations make WordPress incredibly popular, but also difficult to secure and keep updated with security patches.
“As one of the world’s most high-profile open source software projects, WordPress has been a natural target for ongoing security exploits ever since it arrived on the scene,” one well-read developer site explained in an article detailing the many vulnerabilities of WordPress.
It’s highly possible the Ticketfly hacker gained access through a hack of a WordPress site or plugin that had not been updated, potentially giving the intruder access to a large stack of 400-500 WordPress sites. It’s also possible the hacker somehow gained access to Ticketfly’s API that quickly repopulates client’s sites with update inventory information, letting users know when tickets for a particular show have sold out.
Ticketfly officials have been mum so far about what created the security vulnerability and why they were able to fix the Backstage system quicker than the rest of the platform, but doing so allowed sales to take place and helped promoters scan fans in for hundreds of shows and events during the busy summer concert weekend. The company has also not explained its decision to take the entire Ticketfly platform offline to address the incident.
On Wednesday, Ticketfly officials notified users “much of the Ticketfly system is now back online” including a temporary homesite for Ticketfly.com. The company still has not restored the hundreds of WordPress websites it had created for clients, instead creating temporary clones sites through the Eventbrite platform.
“While we’ve rolled out a temporary website solution, and the vast majority of these sites are now live, we don’t yet have an update on our longer-term strategy,” the letter read, with many promoters believing the company won’t bring the WordPress sites back online because of security concerns. The company’ Ticketfly iOS app, as well as the Promoter and Fanbase apps, are all still down.
Ticketfly’s reluctance to bring the WordPress sites back online shows the company is being careful as it crafts a strategy to potentially rebuild and relaunch hundreds of clients sites. If it ultimately decides to drop WordPress and go with a different CMS system, it could take months to get all clients sites back on the web.