What did the researcher actually do?

Ian Carroll went hunting for holes in Front Gate Tickets, the ticketing arm Live Nation and its Ticketmaster division use for a long list of American festivals. He found a device-facing API endpoint that gate scanners talk to, and a parameter called deviceUID that was not cleaning its input. The platform sat behind a firewall, an AWS WAF, that only read the outer layer of a query. Carroll used Anthropic's Claude to wrap the malicious code inside a nested subquery, and the payload walked straight through. From there it became a boolean oracle, one true-or-false question at a time, until the database gave up its shape.

How bad was the access?

Bad. The internal database held more than 500 tables: staff logins, customer orders, and a table of live password-reset tokens that could be redeemed to hijack accounts. With that, Carroll says he could issue comp tickets to any event, of any value, straight to himself, and search customer records at will. A single query for "chris" returned thousands of people. This is the entry spine for EDC, Bonnaroo and Outside Lands, sitting one unauthenticated request from full takeover.

The firewall only read the outside of the query. The real damage was one layer down.

Why does this land on Ticketmaster?

Because Front Gate Tickets is theirs. Live Nation and Ticketmaster have spent years defending their grip on live music by pointing to scale and security, and this is the same corporate family whose consumer breach exposed millions in 2024. Consolidation was sold as safety. Here is a Live Nation platform that ran the entry system for nearly every major US festival on code carrying an unauthenticated SQL injection. Carroll reported it on 25 April, Front Gate fixed it within about a day, and says there is no sign anyone hostile found it first. The public write-up landed on 1 July.

What it means for the floor

Two things. First, the AI did not break in on its own. Carroll drove it; Claude shortened the afternoon by spotting the firewall bypass a human would have taken longer to find. He works inside Anthropic's vetted researcher program, which the company says would have blocked this activity for anyone outside it. Second, when one firm owns the pipes for most of the market, one bug is everyone's bug. The wristband on your arm is only as safe as the least-audited endpoint behind it.