Baseball fans from Los Angeles and Detroit to Miami and Boston saw coveted tickets to MLB games disappear from their accounts within the league’s Ballpark app earlier this month. Some faced disruptions while attempting to enter stadiums using tickets in the app, and many more got notices to update their account information.
In a statement, MLB said it has uncovered “bad actors” who used leaked or stolen credentials from breaches of other websites to access fan accounts, adding that there is no evidence that MLB systems themselves were exploited and that its app is operating properly.
MLB’s Ballpark app was designed for fans attending baseball games, offering ticket storage and management capabilities, as well as other features such as stadium maps and weather alerts. Fans can also sell their tickets using a connection to SeatGeek or directly transfer them to other users.
“We are working tirelessly to address this matter and protect our fans,” the league said. “We want all of our fans to have a great experience when they come to the ballpark, and we are sorry that some fans have had to deal with an issue related to their tickets.”
While the frenzy seems to have been quelled with the league’s latest security updates, the issues highlighted the growing threat of identity fraud targeting sports fans, particularly within the frothy market for live event tickets.
Reports of baseball tickets disappearing from the app spiked around the beginning of September, according to an MLB source granted anonymity to discuss the matter. Numerous fans took to Reddit to report similar issues.
One Philadelphia fan said seven tickets acquired for their brother’s bachelor party were swiped sometime before the day of the game. After the Phillies replaced their tickets, the group found people sitting in their seats, who said they’d bought the stubs online an hour before the first pitch.
In many cases, fans were able to see that the tickets were surreptitiously forwarded to unrecognized accounts, presumably so they could be sold on third-party sites. In a legal complaint filed Thursday, an Illinois man said he missed the first hour of a Cubs tilt after his tickets vanished on the day of the game. The filing goes on to argue that “MLB’s data security obligations were particularly acute given the substantial increase in data breaches in various industries preceding the date of the Data Breach.”
The league declined to comment on ongoing litigation.
Fraud cost consumers more than $12.5 billion in 2024, a 25% jump over the prior year, according to the U.S. Federal Trade Commission. In 2024, a separate report found that so-called “account takeover attacks” were up 24% year-over-year. Often, consumers can recoup their losses, Merchant Risk Council CEO Julie Fergerson said, with companies facing both lost revenue and a potential deflation of customer confidence.
While experts, including those at MLB, urge buyers to use different, secure passwords for each of their accounts across different sites, surveys continue to find that a majority of Americans don’t practice pristine password hygiene. Consumers are also encouraged to set up multi-factor authentication for purchases when possible, but only some do.
“Especially in the United States, we love convenience over security,” Fergerson said.
Following data breaches, hackers identify uses for the stolen information, occasionally selling techniques in manuals for others on forums dedicated to the practice. That explains how instances of fraud strategies can explode overnight before being dealt with.
As live event get-in prices rise, ticket platforms become a more enticing target for illicit activity. The move to digital stubs has cut down on old-school forgery, but other avenues for concern have emerged. Prior to this month, multiple users have complained online about their credit card information being used to purchase game tickets on top ticket marketplaces. In the case of the Kentucky Center for the Performing Arts, a man in Northern Ireland allegedly racked up $100,000 in purchases for “Wicked” tickets using stolen card info.
A Ticketmaster data breach reportedly exposed up to 560 million North American customers in 2024. A Blue Jays fan appears to have lost control to his StubHub account, and the tickets within it, this July. For its part, MLB-owned Tickets.com has posted multiple job listings for a “fraud prevention analyst” this year, a position that a league source said is not new for the company (among the job perks: MLB tickets). At the same time, reports of speculative ticket sales—aka “ghost tickets”—have some potential buyers on edge. Others have attempted to set up automated bots that buy tickets from teams before humans can acquire them and then resell them at higher prices.
MLB is unique among major leagues in operating its own companion app for game attendees across all its clubs. In other sports, teams typically work with different official ticket providers. Baseball’s proprietary platform allows it to roll out advances such as facial recognition-based stadium entry and in-app concessions purchases. On Apple’s iOS App Store, the app has 1.1 million ratings averaging 4.7 stars out of five. The league also touts the app’s “effortless ticket sharing” functionality, though for some, it proved too easy for tickets to change hands this month.
Once hackers identified that some MLB Ballpark users were vulnerable to losing their account access due to having repeated or weak passwords—and that they held valuable assets that could be sold in relatively liquid markets—it makes sense that the apparent fraud accelerated quickly. But with the league now taking steps to mitigate the issue, it’s also likely that those involved have already moved on to focusing on their next potential target.
“We hadn’t really seen something like it,” Binary Defense counterintelligence manager Jake Aurand said of the Ballpark exploit. “It blew up. … But if [MLB] make it difficult enough [for hackers], it’s likely threat actors will move on to the next thing.”
Read the full article here