A Researcher Used Claude to Unlock Ticketing Systems for Nearly Every Major US Music Festival

Security researcher Ian Carroll used Claude Opus 4.7 to breach Front Gate Tickets, exposing data tied to Lollapalooza, SXSW, and more

Rex Edison Avatar
Rex Edison Avatar

By

Image: Deposit Photos | Edited by:Gadget Review

Key Takeaways

Key Takeaways

  • Researcher Ian Carroll used Claude Opus 4.7 to breach Front Gate Tickets’ festival infrastructure.
  • SQL injection exposed millions of records and nearly generated a free $4,000 Bonnaroo wristband.
  • Anthropic’s Cyber Verification Program authorized the research, raising questions about unapproved actors.

Let’s say you have a $4,000 Bonnaroo Platinum wristband on your arm. Now imagine someone generating it from a laptop without paying a cent. According to WIRED, security researcher Ian Carroll did almost exactly that — stopping just short of checkout — after using Anthropic’s Claude Opus 4.7 to crack open the ticketing infrastructure behind nearly every major US music festival. The report, published July 1, 2026, details how AI accelerated a vulnerability hunt that exposed Front Gate Tickets, a platform owned by Live Nation Entertainment.

How an AI Cracked the Gate

Carroll reportedly bypassed a web application firewall and walked straight into an admin account.

The flaw was an SQL injection — a technique that tricks a database into exposing data it shouldn’t. Claude helped Carroll navigate past the firewall, and from there he located a super administrator account, reset its password, and elevated his access across the platform. Think of it like GPS: it didn’t invent the road trip, but it made every detour considerably faster.

Here’s what Carroll’s access reportedly covered:

  • Festivals affected include Lollapalooza, Bonnaroo, Austin City Limits, Electric Daisy Carnival, and SXSW, according to Android Authority and Cybernews
  • Millions of customer and staff records — names, emails, mailing addresses — were potentially exposed; no credit card data
  • Carroll added a roughly $4,000 Bonnaroo Platinum ticket to a cart but never completed the purchase
  • Front Gate told WIRED the issue was resolved within 24 hours with no evidence of exploitation or customer compromise

Carroll described the platform as “held together by duct tape and prayers,” according to WIRED.

Front Gate pushed back, telling WIRED that Carroll accessed an internal API used by entry scanners at festival venues — not a consumer-facing login portal. Both accounts can be true simultaneously. Carroll said he reported the vulnerability. He didn’t print himself a wristband.

Anthropic’s Blessing (Sort Of)

The AI company says its verification program kept this research from going off the rails.

Anthropic told WIRED its Cyber Verification Program — which pre-approves researchers for defensive security work — would have blocked this activity for anyone outside it. Claude didn’t act on its own; it was a tool in a researcher’s hands, compressing work that might have taken days into something much shorter. Carroll called the ticket-issuing capability “pretty cool” from a technical perspective, according to WIRED. The understatement was doing considerable heavy lifting.

If one approved researcher found this over a weekend, the uncomfortable question hangs in the air: what has someone without approval already found?

Share this

At Gadget Review, our guides, reviews, and news are driven by thorough human expertise and use our Trust Rating system and the True Score. AI assists in refining our editorial process, ensuring that every article is engaging, clear and succinct. See how we write our content here →