It was a 2D QR code on the ticket.
I'm not too up on the vulnerabilities within that but at a basic level if you copy it, it will work, and allow the first person in.
So if your mates got a ticket and you take a picture, it works.
If you scour Twitter/Instagram you can copy one. To monetise that - then forge the ticket, change seat details (to look legit) but not even both to change the QR code because nobody would compare - they'd only compare the seat details when buying. And sell as many as you can at a big event. (Boss event).
I'd imagine this is fairly low level. Perhaps even an LFC fan, or perhaps a local Bayern fan doing it for every event.
I don't know if you can decode and regenerate. I think it's a bit more secure than that? Otherwise you'd have millions attending concerts/events. So I'd imagine it's just the basic copy/paste.
However multiple people on Twitter saying they had issues on their own ticket. I'd ask them - did they post the picture anywhere at any point? If not it points to someone more sophisticated (which I doubt), or points back to the source point where you can take a copy of the code - i.e ticket office, handling etc.
Just guessing like. Surprised it doesn't happen a lot more for QR based turnstiles. How many people do we know of who said they were the original holder that had issues? I noticed on twitter around 2 people? Did these post photos? Or was it a lot more people?
Thankfully 2 things. That stadium is so big it's thankfully not dangerous to have a few more in. It sounds like everyone got in after explanations. In other cities it would have been a big issue.