Cyber Incident Victim: Coachella Valley Music and Arts Festival
Date:
Feb 2017
Location:
United States of America
Summary
A data breach compromised over 950,000 user accounts associated with the Coachella Valley Music and Arts Festival's website and message board, with stolen information including email addresses, usernames, and hashed passwords. The exposed data, split between approximately 360,000 main website accounts and 590,000 forum profiles—the latter containing additional IP addresses—was offered for sale on a dark web marketplace for $300. Independent verification confirmed the legitimacy of sampled accounts through email address conflicts and victim corroboration, though no financial data was included in the breach. The organization did not publicly acknowledge the incident at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 22, 2017, cybersecurity researchers identified a dark web marketplace listing advertising the sale of over 950,000 user accounts associated with the Coachella Valley Music and Arts Festival's online platforms. A vendor using the alias "Berkut" offered the data for $300 on the Tochka marketplace, claiming it represented a complete database dump from that month. The compromised information included email addresses, usernames, and hashed passwords from two distinct systems: approximately 360,000 accounts from the main Coachella website and 590,000 accounts from the festival's message board platform. The message board records allegedly contained additional information including users' IP addresses. Berkut's listing explicitly stated that payment card details were not included in the dataset. Motherboard journalists obtained a sample of over 10,000 records and verified their authenticity by attempting account registrations on Coachella.com using 30 randomly selected email addresses, all of which were confirmed as existing accounts.
The data exposure impacted individuals who had created accounts across multiple years, with at least two confirmed victims referencing account activity dating back to 2010 and 2012. Affected users received direct notifications from journalists about the breach, prompting at least one individual to initiate password changes. Public evidence suggested the compromised credentials could enable unauthorized access to Coachella-related accounts, though no specific instances of account misuse were documented. The festival organizers did not issue immediate public statements or acknowledge the breach in response to media inquiries. Analysis of the dataset indicated security vulnerabilities in both the primary festival website and separate message board infrastructure, though the exact intrusion methods remained unconfirmed. The incident highlighted risks associated with reused credentials across entertainment platforms handling personal data.