StubHub Hit in Cyber-Attack That May Have Stolen $10M in Tickets

Online ticket service StubHub was reportedly hit in a cyber-attack that compromised more than a thousand accounts.

Arrests are expected to be officially announced today. According to reports, the attack was the work of a cybercrime operation that spanned the globe and may have stolen some $10 million in tickets. After the tickets were purchased through the compromised accounts, the tickets were then distributed to a network of resellers.

Contacted by SecurityWeek, StubHub spokesperson Glenn Lehrman explained in a prepared statement that the company was alerted in 2013 that user accounts had been illegally accessed by cybercriminals. Since then, the company has been working with law enforcement agencies around the world, he said.

According to Lehrman, the attackers didn’t actually break StubHub security. Instead, it is believed they stole users’ login information in data breaches of other sites and used it to break into their StubHub accounts. It is also possible that certain customers’ computers were compromised with keyloggers or other credential-stealing malware that allowed the attackers to swipe their StubHub logins.  

“People often reuse the same credentials on different sites and once these are harvested they can be used to perform attacks elsewhere the person also has an account,” said Richard Westmoreland, lead security analyst at SilverSky. “Best practices suggest people should use unique passwords for every account – but in reality this is difficult to manage when it is common to have dozens of accounts.”

A recent report from Microsoft suggested that using strong password for every site may be overwhelming for the average user. Instead, sites should be grouped according to their value. Strong passwords, the paper recommended, should be used for sites that have sensitive user information, while weaker passwords could be shared among the groups of sites with less sensitive data.

However Troy Gill, senior security analyst at AppRiver, argued that this breach serves as a reminder that unique passwords should be used for each online account.

“A stolen password may reveal the formula to all of your other passwords, or worse, give hackers immediate access to those accounts that use the exact same password,” he said.

“AppRiver blocks an awful lot of email and Web-based malware that is designed to harvest users’ personal information and account credentials,” added Gill. “Users should be aware that it’s not just their financial information that is attractive to hackers, but so too is any information they can leverage to commit fraud and turn a profit.”

According to reports, the ringleader of the operation is Russian citizen Vadim Polyakov, 30, who authorities said has been detained in Spain and faces extradition to the United States. Other arrests and raids are expected to be announced today in the U.K., Canada and the United States.

“The global law enforcement community has sent a strong message to the individuals that commit these crimes,” said Robert Capps, senior director of customer success at RedSeal Networks and former head of global trust and safety for StubHub. “You are no longer safe to travel and operate outside of your home country, without significant risk of arrest and prosecution. Isolation is a powerful force in the effort to change behaviors.  Confined within the borders of their home country, I suspect we’ll see a change in behavior of some of these criminals.”