By Matt Rivers and Ian Bush
PHILADELPHIA (CBS) — It’s the destination website for many sports fans and concert goers. But it appears that stubhub was also the destination for hackers.
An international cybercrime ring is busted, authorities say, with the indictment in New York of six people accused in a million-dollar fraud. Their victims are nearly two thousand StubHub users, but that online ticket reseller wasn’t hacked — at least, not in the traditional sense of the word.
Call it instead an ‘illegal takeover,’ says Cyrus Vance, Jr., the District Attorney of Manhattan.
“The tickets are for Justin Timberlake concerts, tickets related to orchestra seats to sold-out Broadway shows,” Vance said.
But Vance says the suspects didn’t breach StubHub’s security; instead, they typed in user names and passwords gleaned from hacks on other websites or from keylogging malware. More than 1,600 of those combinations worked, and unlocked free money from credit cards stored on StubHub.
“Once they got in, they had access to all the personally identifying information which enabled them to make the purchases,” Vance said.
Prosecutors say more than 3,000 tickets were put up for sale at prices that quickly moved the inventory; every penny was a profit.
For one Philadelphia victim, it was Eagles playoff tickets. A Philadelphia man noticed he’d bought and sold tickets to the game via his StubHub account, only he didn’t do that.
Someone had hacked into his account, sold the tickets and pocketed the profits.
StubHub sent him this email acknowledging the fraud and gave him his money back. Turns out, he wasn’t alone.
“More than 1,600 StubHub user accounts were compromised and used to purchase thousands of tickets,” said Vance.
On Wednesday, Vance, Jr. announced federal charges against several men in a cybercrime syndicate.
Starting early last year, two Russian nationals would hack into accounts and buy tickets, about 3,500 in total, valued at over $1.5 million.
They then would email the tickets to two men in Manhattan and New Jersey, who would resell them.
Then, that money would be laundered in Canada and England.
“Today’s law enforcement action reflects the increasingly global landscape in which cyber criminals operate,” said Vance, Jr.
StubHub was founded in 2000 and sold in 2007.
It’s now owned by eBay, a company with its own history of recent cyber security problems. Back in May, millions of eBay customers were asked to change their passwords after the company said one of its databases was hacked into.
The two crimes aren’t necessarily connected, but experts say user data stolen in one crime can easily be used to commit another.
“For every single one of the sites that you’re doing business, be changing your passwords for all of them and be doing it on a routine basis,” said Norm Balchunas, the operations manager of Drexel University’s Cybersecurity Institute.
Balchunas called it practicing good cyber hygiene. Officials say they’re still unsure how the hackers first obtained StubHub users’ information, but in the meantime, it’s a reminder for the rest of us to look out online.
Three Americans are among those charged in what Vance calls an ID theft and money laundering ring.
StubHub has issued refunds to customers who were affected.
The case is another reminder not to use the same password across multiple websites, especially those that store things like payment details.
You may also be interested in these stories: