Hacker says Claude AI helped to get VIP tickets to America’s most wanted festivals for free
Some tickets cost $4,000

Claude helped a hacker break into the ticketing system used by major US music festivals, granting them free access to festival tickets costing up to $4,000.
- Claude AI helped a security researcher exploit a SQL injection flaw in Front Gate Tickets, Live Nation's festival ticketing platform.
- The vulnerability exposed 500+ database tables, employee credentials, and allowed unlimited ticket generation for major US music festivals.
- Affected festivals include Lollapalooza, Bonnaroo, Austin City Limits, Electric Daisy Carnival, and South by Southwest.
- Front Gate Tickets patched the vulnerability within one day of disclosure and reported no evidence of prior exploitation or fraudulent tickets.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Ian Carroll, a security researcher and white-hat hacker, says Anthropic's Claude AI helped him discover and exploit a vulnerability that could have allowed him to download an unlimited number of tickets to some of the biggest music festivals in the United States.
The researcher gained access to the Front Gate Tickets ticketing platform, owned by Live Nation and serving major festivals including Lollapalooza, Bonnaroo, Austin City Limits, Electric Daisy Carnival, and South by Southwest.
“It was pretty cool to see a ticket that’s $4,000, and I could just hit a button and issue as many as I wanted,” Carroll told Wired.
“I could go to every single event with no limitations or restrictions; I could get the backstage pass or whatever they sell to the super VIPs, even if it’s sold out.”
Claude’s AI helped to bypass the security measures
According to Carroll, the vulnerability originated from an unauthenticated SQL injection flaw in Front Gate's device API.
SQL injection is a web vulnerability that allows attackers to manipulate database queries when applications fail to properly sanitize user input. In this case, a parameter known as deviceUID was reportedly inserted directly into database queries.
Initially, Carroll's attempts to exploit the flaw were blocked by the site's web application firewall. But instead of giving up, he turned to Claude Opus 4.7, Anthropic's latest AI model, asking it to find another route.
According to Carroll, Claude identified that the firewall only inspected the outer layer of submitted SQL queries. By wrapping the malicious query inside a nested subquery, the AI produced a payload that bypassed the protection.
An infinite number of tickets
Once the firewall was bypassed, Carroll said he gained access to a database containing more than 500 tables. Among the exposed information were employee login data and live password reset tokens.
Using those tokens, Carroll said he was able to claim administrator privileges on the platform. With administrative access, he could reportedly create tickets for any event hosted through Front Gate, including premium VIP packages worth thousands of dollars.
He said he located a Bonnaroo Platinum ticket priced at approximately $4,000 that could have been duplicated indefinitely. However, Carroll emphasized that he never generated or redeemed any tickets.
“I stopped here and did not view any records beyond what was needed to confirm the issue. The point was made: an unauthenticated request to a scanner API was enough to become an administrator of EDC, Bonnaroo, and every other festival on the platform,” Caroll wrote.
Attackers could hijack accounts and generate fraudulent tickets
According to the researcher, an attacker with nothing but the public device endpoint could allegedly issue complimentary tickets for any event hosted through Front Gate Tickets, access customer records and internal credentials across the platform.
Also, attackers could redeem active password reset tokens to hijack employee and customer accounts.
The researcher disclosed his findings to Front Gate on April 25th, and the company fixed it the following day.
In response to the disclosure, Front Gate claimed there was no evidence of prior exploitation or that fraudulent tickets were issued.
Front Gate downplayed the impact of the discovery, as any fraudulent tickets generated would have left an audit trail and been canceled before they could be used.
Cybercriminals target ticket platforms
This is not the first time the company has been under scrutiny for cyber incidents. Another Live Nation product has suffered a major attack before.
In May 2024, the ShinyHunters hacking group claimed to have breached Ticketmaster, stealing the personal data of 560 million users from a 1.3TB dataset hosted on a third-party cloud database. Hackers demanded $500,000 in ransom.
Live Nation confirmed the breach, stating that it affected an isolated cloud database hosted by a third-party data services provider.