Let’s say you have a $4,000 Bonnaroo Platinum wristband on your arm. Now imagine someone generating it from a laptop without paying a cent. According to WIRED, security researcher Ian Carroll did almost exactly that — stopping just short of checkout — after using Anthropic’s Claude Opus 4.7 to crack open the ticketing infrastructure behind nearly every major US music festival. The report, published July 1, 2026, details how AI accelerated a vulnerability hunt that exposed Front Gate Tickets, a platform owned by Live Nation Entertainment.
How an AI Cracked the Gate
Carroll reportedly bypassed a web application firewall and walked straight into an admin account.
The flaw was an SQL injection — a technique that tricks a database into exposing data it shouldn’t. Claude helped Carroll navigate past the firewall, and from there he located a super administrator account, reset its password, and elevated his access across the platform. Think of it like GPS: it didn’t invent the road trip, but it made every detour considerably faster.
Here’s what Carroll’s access reportedly covered:
- Festivals affected include Lollapalooza, Bonnaroo, Austin City Limits, Electric Daisy Carnival, and SXSW, according to Android Authority and Cybernews
- Millions of customer and staff records — names, emails, mailing addresses — were potentially exposed; no credit card data
- Carroll added a roughly $4,000 Bonnaroo Platinum ticket to a cart but never completed the purchase
- Front Gate told WIRED the issue was resolved within 24 hours with no evidence of exploitation or customer compromise
Carroll described the platform as “held together by duct tape and prayers,” according to WIRED.
Front Gate pushed back, telling WIRED that Carroll accessed an internal API used by entry scanners at festival venues — not a consumer-facing login portal. Both accounts can be true simultaneously. Carroll said he reported the vulnerability. He didn’t print himself a wristband.
Anthropic’s Blessing (Sort Of)
The AI company says its verification program kept this research from going off the rails.
Anthropic told WIRED its Cyber Verification Program — which pre-approves researchers for defensive security work — would have blocked this activity for anyone outside it. Claude didn’t act on its own; it was a tool in a researcher’s hands, compressing work that might have taken days into something much shorter. Carroll called the ticket-issuing capability “pretty cool” from a technical perspective, according to WIRED. The understatement was doing considerable heavy lifting.
If one approved researcher found this over a weekend, the uncomfortable question hangs in the air: what has someone without approval already found?




























