Kassy.ru, a Russian e-ticketing platform, has become yet another victim of cybercrime within the entertainment industry. It sells tickets for concerts, theaters, and sporting events in over 100 cities throughout Russia and has had its user database leaked onto dark web sites.
Kassy.ru publicly disclosed the data breach on December 29, 2025, and the incident put hundreds of thousands of users at risk immediately.
In May 2025, Ticket to Cash, a ticket resale platform, also leaked a large amount of sensitive data when Cyber Security Researcher Jeremiah Fowler stumbled upon an unsecured database containing 200GB of data and more than half a million records. The incidents highlight the vulnerability of ticketing platforms as targets for cybercriminals seeking to steal data.
Complete database posted on criminal forum
The Kassy.ru breach was discovered when threat actor “Demetrius” posted the stolen data on DarkForums, a notorious platform where hackers trade compromised information. These forums serve as a comprehensive black market, offering everything from stolen databases to critical system access, such as the recent sale of a Turkish university’s VPN credentials.
“Hello DarkForums Community, Today I have uploaded kassy ru database breach for you to download, thanks for reading and enjoy!” Demetrius wrote, treating 300,000 people’s personal information as casual entertainment.
The leaked database contains a disturbing array of sensitive details including full legal names, emails, phone numbers, residential addresses, as well as birth information. The breach also exposed login details and passwords, putting accounts that use the same credentials across different platforms at risk.
But the breach goes deeper than basic contact information. The stolen database includes extensive payment-related data such as payment IDs, payment types, booking details, and transaction histories. Telegram IDs and passport information fields were also compromised, creating serious privacy concerns.
Sample code snippets posted by Demetrius show database structures containing fields for email confirmation status, password fields (both hashed and plain text references), and family information. Additional tables include payment order details, approval codes, payment methods, card payment system information, and bank details.
Ticket resale platform also compromised
The Ticket to Cash breach adds to the mounting evidence that ticketing services are under siege. The 200GB unprotected database contained names, email addresses, home addresses, and partial credit card data. It also held thousands of ticket files, proof of transfers, as well as receipts.
Fowler determined the origin as Ticket to Cash driven by “internal folder structures.” He reported the issue immediately but got no initial feedback. The team secured the database only after four days, by which time more credentials had already been exposed.
It’s still uncertain whether the attack originated from the firm itself or a partnered contractor. The disclosure of sensitive personal data and financial credentials raises significant privacy risks, particularly as online ticketing thrives.
What’s at stake for victims
For Kassy.ru’s 300,000 users, the risks are substantial and immediate. The breach exposed usernames and passwords, attackers can launch credential stuffing attacks on other services. Because a person uses the same password across multiple applications, this makes credential stuffing a very serious threat.
This risk is amplified by widespread security flaws in other sectors, such as the recent discovery that popular travel apps were exposing sensitive data for millions of users.
The theft of personal information allows attackers to conduct very targeted phishing scams. They may create very legitimate looking emails or messages by using the personal information included in the data they stole. For example, they may act as Kassy.ru support staff, state there is a problem with a purchase token, and provide proof of legitimate bookings taken from the stolen data in order to create credibility.
Attackers could exploit Telegram ID information to perform very convincing social engineering attacks through the Telegram messaging service. Furthermore, telephone numbers provide another way to exploit individuals via vishing (voice phishing).
Payment information in the databases raises additional red flags. Although it’s unclear whether either breach exposed full credit card numbers, criminals could potentially use the payment order data, approval codes, and payment system details to commit financial fraud or reconstruct transaction patterns.
