Nearly 1m Coachella user details potentially accessed in breach

Coachella, a popular music festival in southern California that features acts like Beyonce, Lady Gaga and Radiohead, revealed this week that its website had been breached, potentially compromising 950,000 accounts containing the personal details of concert-goers who had purchased tickets in years past or registered on the website’s user forums.

In an email to its registered users, Coachella said that:

We recently discovered that unauthorized third parties illegally gained access to the usernames, first and last names, shipping addresses, email addresses, phone numbers and dates of birth individuals provided to Coachella.

Coachella says that no financial or password information had been accessed during the breach; however, in an earlier story about this breach, Motherboard alleged that Coachella user details were being sold on the black market for $300, including user IPs and hashed passwords.

Either way, Coachella strongly encourages any registered users to change their passwords on their website and anywhere else they may have used the same password – although we always discourage you from reusing passwords anyway!

The email goes on to warn Coachella registrants that due to the breach, they could become targets for phishing campaigns from attackers posing as Coachella employees or other interested parties.

The takeaway is two-fold on a breach like this:

For users, this just goes to demonstrate that even on a “trivial” website – where it may not seem like security matters for much – a simple breach on a music festival website can lead to some headaches down the road. As always, we recommend using a unique password for every website where you need to register. If you find that to be a daunting task, a password manager can help.

For vendors, it’s a reminder that you’re the steward of any data you gather from your users. Make sure you’re truly prepared to protect that data, and only ask for data that you truly need. Perhaps Coachella needed its users’ date of birth to verify their identity, or perhaps it was just a nice-to-have. Either way, unfortunately, that information has now been exposed.