Sold-out concerts have scammers hacking in and reselling Taylor Swift tickets right before their eyes.

With only two cities on Taylor Swift's U.S. Lover Fest schedule, tickets were a tough get when they went on sale in October. But now, some Swifties say that their nail-bitingly long queuing and money has gone to waste. "It was terrible," says Christine Benway, 26. "I could literally see my tickets up for resale in front of my own eyes."

Angry fans took to Twitter in January, claiming someone had hacked into their Ticketmaster accounts, transferred their Lover Fest tickets and then resold them -- either on Ticketmaster's resale platform or on a third-party site like StubHub. Most of the fans reported that hackers then flooded their inboxes with hundreds of emails to bury the Ticketmaster transfer notification.

"[I] noticed I had many odd emails, like subscriptions to websites I had never heard of," said Erin Smith, who had bought tickets to Swift's Aug. 1 show at Gillette Stadium in Foxborough, Massachusetts. "When I finally got the chance to go through these emails, I found one from Ticketmaster saying that my tickets had been transferred to someone I did not know. I was obviously shocked."

Getting tickets required hard work. Before Lover Fest tickets went on sale, Swift fans were invited to register through Ticketmaster's Verified Fan program, which their site claims "level[s] the playing field so more tickets go to fans who intend to go to the show -- not ticket bots." Swift was one of the first artists to use the Verified Fan program for her Reputation tour in 2017, encouraging fans to purchase tour merch and stream her music to boost their chances at a good spot in line -- as granted through a unique access code sent to their phone. But spending extra money didn't guarantee a code and lucky fans who did receive them were only given "the opportunity to be invited" to buy tickets. "Boosts" were not an option for Lover Fest.

"I had friends wait hours and hours online," Benway says. Thankfully, she was luckier than her Swiftie pals. After 15 minutes, Benway scooped up Lover Fest tickets to the July 25 show opening the new SoFi Stadium in Inglewood, California, with her presale code. But they didn't stay in her account very long.

One fan tweeted a Ticketmaster customer service rep claimed "it was an issue they were having specifically with the Taylor Swift concert because of the popularity." According to a Ticketmaster spokesperson, a spike in account hackings correlates to "high-profile events" -- not just Lover Fest.

"These fraudsters tend to go after more valuable goods across all industries, which in this case, appears to be impacting some ticket-buyers," Ticketmaster's spokesperson says.

"One thing that was really odd to me is that I actually had tickets to two different concerts associated with my account, but only the Taylor Swift tickets were stolen," says Asasia Richardson, 24. (Her Harry Styles tickets were untouched.)

Other victims told Billboard that their Post Malone and Lumineers tickets were swiped. Another customer took to Reddit to complain about the same thing happening with Hamilton tickets.

I didn’t want to take to Twitter and I’m sure nothing will come of this anyway, but it’s worth a shot. Someone hacked my Ticketmaster account and transferred my @taylorswift13 tickets to themselves. Apparently all the Ticketmaster fraud department could do about it was give me pic.twitter.com/giSBNryi87 — Erin Smith (@smith_erin19) January 7, 2020

Ok @Ticketmaster I am officially freaking out. I have NO IDEA who this person is and I DID NOT TRANSFER MY TICKETS TO ANYONE. WHAT IS GOING ON?!?!?! pic.twitter.com/VPgIpvpPAL — jamie (@glitterontheflr) December 15, 2019

@Ticketmaster at what point are you going to accept fault for the data breach that resulted in tons of people having tickets stolen from their accounts? I still don’t have my 4 @taylorswift13 Lover fest tickets after multiple phone calls and complaints. — robin (@batmanandR0BIN) January 5, 2020

Kaitrin Sullivan's Post Malone tickets were stolen three months after her boyfriend bought them in November for a Valentine's Day gift. Ticketmaster was unable to retrieve their original tickets, but after months of back-and-forth, they issued brand-new tickets to her.

"I feel horrible for all the people who this happened to who won't notice until they show up at their show," says Sullivan, 27.

If a hacker has access a person's Ticketmaster password, possibly obtained from a security breach elsewhere, they can gain access to their account. And Ticketmaster says there's only one way to avoid this: creating a completely unique password for the site.

Ticketmaster would not disclose the number of account takeover claims filed for the Lover Fest events, or for their website in total.

But is there something more that Ticketmaster could be doing besides instructing users to change their passwords? When it comes to protecting online accounts, two-factor authentication and multi-factor authentication -- which requires users to enter a code sent to their phone during login -- is a must, says cyber security expert Steve Morgan, editor-in-chief at Cybersecurity Ventures.

"App providers, in my opinion, have not only a technical obligation, but also a moral and ethical one, to provide this extra level of security when they know their users and customers are exposed without it," Morgan says.

Ticketmaster doesn't currently offer two-factor authentication at login -- only when a user is buying tickets. And two-factor authentication isn't required to transfer tickets either.

It's no secret that Ticketmaster understands the value of Taylor Swift tickets -- the Live Nation owned company operates one of the world's largest ticket resale sites with thousands of Taylor Swift tickets for resale on its platform. A company source tells Billboard that rumors Ticketmaster makes money selling a fraudulently acquired ticket twice simply aren't true -- in fact, the company loses money every time a fraudulent ticket is resold on their platform because they are legally obligated to return the original ticket and provide a replacement for the secondary ticket purchased by another fan, which Ticketmaster has to buy at after-market prices.

That can be expensive. The Financial Times reported in 2018 that tickets for Swift's Reputation tour were market up a cumulative average if $1.4 million per show, which for a typical 17,000-seat arena equals about $82 per tickets.

The source at Ticketmaster said investigating and piecing together who is a fan who is a bad actor takes time, and the best way fans can protect themselves is by creating a unique password for their Ticketmaster account. After all, Swift's Lover Fest tickets are reselling on Ticketmaster's resale platform and other resale sites for between $235 to more than $3,000 per ticket.

High-priced tickets are a harder sell, which is why some scammers are dumping stolen tickets at or below face value. Benway says she saw her $200 floor seat selling for exactly that: $200.

"Other fans saw that and tried to snatch them up immediately," Benway theorizes. "So the scammer transferred my tickets to them, and immediately sold them for face value so they would be purchased quickly by another fan, in which the scammer would then transfer the money and delete their fake account."

The victims Billboard spoke with reported a mixed experience with Ticketmaster's fraud department. If their tickets were already resold, there's nothing that could be done, they were told. However, if they were not resold, tickets were easily moved back into the rightful owner's account. On one occasion, a fraud claim had already been filed by Ticketmaster before the customer even called. Ticketmaster tells Billboard it is "assisting those affected."

Fans are desperately doing everything they can to prevent fraud -- some claim will call and transferring tickets to Apple Wallet may help, but Ticketmaster's spokesperson says no. The only way to stop scalpers from scooping tickets within your account is to create a totally unique password on the site.

At press time, a Swift rep has not responded to request for comment.