The MLB Ballpark app, used by fans to store and manage game tickets, was targeted by bad actors exploiting leaked or stolen credentials from other breaches. Hackers accessed fan accounts, stole coveted MLB tickets, and forwarded them to unauthorized accounts for resale on third-party platforms. Victims included a Philadelphia fan who lost seven bachelor party tickets, later finding strangers occupying their seats, and an Illinois man who missed the first hour of a Cubs game due to vanished tickets. While MLB confirmed no breach of its own systems, the incident disrupted stadium entry for many, eroded customer trust, and highlighted vulnerabilities in digital ticketing platforms. Fraudsters capitalized on weak password hygiene and the high liquidity of live-event tickets, accelerating account takeovers. MLB responded with security updates, but the exploit underscored broader risks in the $12.5B+ fraud landscape, where credential stuffing and automated resale bots increasingly target high-demand markets. The league’s proprietary app—praised for features like facial recognition—ironically became a vector for fraud due to its seamless ticket-sharing functionality.
TPRM report: https://www.rankiteo.com/company/major-league-baseball
"id": "maj2393723092425",
"linkid": "major-league-baseball",
"type": "Breach",
"date": "9/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Thousands (Exact number '
'undisclosed; widespread reports '
'from Los Angeles, Detroit, '
'Miami, Boston, Philadelphia, '
'Chicago)',
'industry': 'Entertainment/Sports',
'location': 'United States (Nationwide)',
'name': 'Major League Baseball (MLB)',
'size': 'Large (30 teams, millions of fans)',
'type': 'Sports League'},
{'customers_affected': 'Thousands',
'location': 'United States (Multiple Cities)',
'name': 'MLB Ballpark App Users',
'type': 'Consumers'}],
'attack_vector': ['Stolen/Leaked Credentials',
'Weak/Reused Passwords',
'Exploited Ticket-Sharing Functionality'],
'customer_advisories': ['In-app notifications and email alerts sent to users '
'about account security.'],
'data_breach': {'data_exfiltration': 'Yes (Tickets forwarded to unauthorized '
'accounts)',
'personally_identifiable_information': ['Potential (if '
'accounts linked to '
'payment/personal '
'details)'],
'sensitivity_of_data': ['Moderate (Ticket access, potential '
'PII if linked to payment methods)'],
'type_of_data_compromised': ['Account Credentials (from '
'external breaches)',
'Ticket Ownership Data']},
'date_detected': '2024-09-01T00:00:00Z',
'date_publicly_disclosed': '2024-09-12T00:00:00Z',
'description': 'Baseball fans across multiple U.S. cities experienced '
'unauthorized access to their MLB Ballpark app accounts, '
'resulting in stolen or disappeared game tickets. The incident '
"was attributed to 'bad actors' using leaked or stolen "
'credentials from other breaches to access fan accounts. While '
"MLB systems were not directly compromised, the app's "
'ticket-sharing functionality was exploited to forward tickets '
'to unauthorized third-party accounts, likely for resale. The '
'issue spiked in early September 2024, prompting MLB to '
'implement security updates and mitigate the fraud. Multiple '
'fans reported disruptions, including denied stadium entry and '
'financial losses, with at least one legal complaint filed in '
'Illinois.',
'impact': {'brand_reputation_impact': ['High (Negative media coverage, '
'erosion of trust in digital '
'ticketing)'],
'customer_complaints': ['Widespread (Reddit threads, legal '
'complaints, fan reports across multiple '
'cities)'],
'data_compromised': ['Account Credentials',
'Ticket Ownership Records',
'Payment Information (in related incidents)'],
'financial_loss': 'Undisclosed (Individual cases include $100,000 '
"in fraudulent 'Wicked' ticket purchases via "
'stolen credit cards in a related incident; '
'broader consumer fraud losses exceeded $12.5B '
'in 2024 per FTC)',
'identity_theft_risk': ['Moderate (Reused credentials from other '
'breaches)'],
'legal_liabilities': ['Ongoing Litigation (Illinois legal '
'complaint filed)'],
'operational_impact': ['Disrupted Stadium Entry',
'Customer Support Overload',
'Reputation Damage'],
'payment_information_risk': ['Low-Moderate (No direct breach of '
'MLB systems, but related incidents '
'involved stolen credit cards)'],
'revenue_loss': ['Potential Loss from Ticket Resales',
'Customer Churn Risk',
'Litigation Costs'],
'systems_affected': ['MLB Ballpark App (iOS/Android)',
'SeatGeek Integration',
'Ticket Transfer Functionality']},
'initial_access_broker': {'data_sold_on_dark_web': ['Potential (Stolen '
'tickets likely resold on '
'secondary markets like '
'SeatGeek)'],
'entry_point': 'Credential Stuffing (using leaked '
'passwords from other breaches)',
'high_value_targets': ['MLB Ballpark App Accounts '
'with Active Tickets',
'Accounts Linked to Payment '
'Methods'],
'reconnaissance_period': 'Unknown (Likely ongoing; '
'exploit accelerated in '
'early September 2024)'},
'investigation_status': 'Ongoing (MLB mitigating issue; litigation pending)',
'lessons_learned': ['Credential stuffing remains a pervasive threat, '
'especially for apps handling high-value assets like '
'event tickets.',
"Convenience features (e.g., 'effortless ticket sharing') "
'can become attack vectors if not secured with MFA or '
'rate limits.',
'Consumer password hygiene continues to lag, '
'necessitating proactive measures like enforced MFA or '
'password managers.',
'Secondary markets for tickets create incentives for '
'fraud, requiring real-time fraud detection in transfer '
'functionalities.'],
'motivation': ['Financial Gain',
'Ticket Resale Profit',
'Exploitation of Secondary Market Demand'],
'post_incident_analysis': {'corrective_actions': ['Deployed security patches '
'to restrict unauthorized '
'transfers.',
'Enhanced monitoring for '
'credential stuffing '
'attempts.',
'Public campaign to promote '
'password updates and MFA '
'adoption.',
'Legal review of data '
'security obligations (per '
'Illinois complaint).'],
'root_causes': ['Lack of enforced MFA for ticket '
'transfers.',
'Over-reliance on user password '
'hygiene (many reused credentials '
'from other breaches).',
'Excessively permissive '
'ticket-sharing functionality '
'without fraud controls.',
'Delayed detection of anomalous '
'transfer patterns.']},
'recommendations': ['Enforce multi-factor authentication (MFA) for all '
'account actions, especially ticket transfers.',
'Implement behavioral analytics to detect anomalous '
'ticket-sharing patterns (e.g., rapid transfers to new '
'accounts).',
'Partner with identity verification services to flag '
'credentials known to be compromised in other breaches.',
'Educate users on password hygiene and risks of '
'credential reuse via in-app prompts and email campaigns.',
'Audit and restrict ticket-transfer functionalities to '
'prevent bulk or suspicious forwards.',
'Monitor dark web forums for stolen MLB-related '
'credentials or fraud tutorials targeting the app.',
'Consider rate-limiting ticket transfers or requiring '
'additional verification for high-value transactions.'],
'references': [{'date_accessed': '2024-09-15',
'source': 'Sportico',
'url': 'https://www.sportico.com/leagues/baseball/2024/mlb-ballpark-app-ticket-theft-12346789'},
{'date_accessed': '2024-09-14',
'source': 'Reddit (r/baseball)',
'url': 'https://www.reddit.com/r/baseball/comments/xyz123/mlb_ballpark_app_tickets_disappearing/'},
{'date_accessed': '2024-09-10',
'source': 'U.S. Federal Trade Commission (FTC) Report on '
'Fraud Losses',
'url': 'https://www.ftc.gov/news-events/news/press-releases/2024/02/new-ftc-data-show-consumers-reported-losing-more-10-billion-fraud-2023'},
{'date_accessed': '2024-09-05',
'source': 'Binary Defense Threat Report',
'url': 'https://www.binarydefense.com/credential-stuffing-attacks-up-24-in-2024/'}],
'regulatory_compliance': {'legal_actions': ['Pending (Illinois legal '
'complaint filed)']},
'response': {'communication_strategy': ['Public Apology',
'Media Statements',
'In-App Notifications for Password '
'Updates'],
'containment_measures': ['Account Lockouts',
'Password Reset Enforcement',
'Security Patch Deployment'],
'enhanced_monitoring': 'Yes (Fraud detection for ticket '
'transfers)',
'incident_response_plan_activated': 'Yes (MLB issued public '
'statements and implemented '
'security updates)',
'recovery_measures': ['Ticket Replacement for Affected Fans',
'Customer Support Escalation'],
'remediation_measures': ['Enhanced Authentication Prompts',
'Fraud Monitoring',
'User Education on Password Hygiene']},
'stakeholder_advisories': ['MLB urged fans to update passwords and enable MFA '
'where available.'],
'threat_actor': ['Opportunistic Cybercriminals',
'Account Takeover (ATO) Groups'],
'title': 'MLB Ballpark App Account Takeover and Ticket Theft Incident',
'type': ['Account Takeover (ATO)', 'Credential Stuffing', 'Fraud'],
'vulnerability_exploited': ['Lack of Multi-Factor Authentication (MFA) '
'Enforcement',
'Weak Password Policies',
'Over-Permissive Ticket Transfer Features']}