Brinztech Alert: The Alleged Database of Scoring is Leaked

Dark Web News Analysis

The dark web news reports a comprehensive data breach involving Scoring, a French ticketing and event management application. A threat actor on a hacker forum is circulating a dataset purportedly extracted from the platform’s backend.

The leaked files are named users.json, organizations.json, orders.json, and volunteers.json, indicating a complete dump of the application’s core data structures. The compromised information is extensive, including Full Names, Email Addresses, Phone Numbers, Physical Addresses, Dates of Birth, and critically, Stripe Account IDs linked to the organizations using the platform.

Key Cybersecurity Insights

Breaches of event management platforms affect a diverse ecosystem of athletes, volunteers, and organizers, creating multiple vectors for fraud:

• Stripe Connect Risk: The exposure of Stripe Account IDs in organizations.json is a significant threat to the event organizers. While an Account ID alone isn’t a password, attackers can use it combined with the Organization Details to launch targeted social engineering attacks against Stripe support, attempting to hijack the merchant account or divert ticket revenue payouts.
• Volunteer Targeting: The specific leak of volunteers.json puts unpaid staff at risk. Volunteers often submit sensitive data for accreditation. Attackers can pose as the event organizers, emailing volunteers: “Your accreditation for the upcoming race is incomplete. Please upload your ID scan here,” leading to identity theft.
• Ticketing Scalping & Fraud: With access to orders.json, attackers know exactly who bought tickets for which event. They can craft phishing emails claiming an event is cancelled to solicit “refund processing fees,” or potentially invalidate legitimate tickets to resell them on the black market.
• GDPR Compliance: As a French entity handling data for athletes and minors (common in sports events), this breach is a serious GDPR violation. The exposure of Dates of Birth and Addresses requires immediate notification to the CNIL (French Data Protection Authority).

Mitigation Strategies

To protect the event community and financial assets, the following strategies are recommended:

• Stripe Audit: Organizations using Scoring should immediately review their Stripe dashboard for any unauthorized connected apps or changes to payout bank accounts.
• Volunteer Advisory: Event organizers must proactively warn their volunteer lists that their data may have been exposed and to ignore requests for payments or password resets.
• Password Reset: All users (organizers, athletes, volunteers) should force a password reset on the Scoring platform.
• Regulatory Reporting: Scoring must assess the scope of the leak and file the mandatory breach notification with the CNIL within 72 hours.

Secure Your Business with Brinztech — Global Cybersecurity Solutions

Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback?

For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com