Ebay’s online ticket resale service Stubhub fell victim to a cyber-scam where a “global gang” used 1,600 hacked accounts on the service and bought and resold tickets, laundering the profits through European banks - earning a total of $1m.
Three criminals behind the spate of Stubhub accounts hacked were arrested in New York, and a further three in London, according to the BBC’s report.
The scams were complex, involving data from other corporate breaches (such as email addresses and passwords) which were then used to breach legitimate Stubhub accounts - eBay emphasised that its servers had not been accessed, after a high-profile attack earlier this year reportedly exposed customer data.
Accounts hacked - 'no data breach'
The criminals - described by New York County’s district attorney as a “global cybercrime ring” also used malware to obtain Stubhub logins.
Stubhub’s global head of communications, Glenn Lehrman, said in an interview with Reuters that victims have been reimbursed, and that the firm has been working with law enforcement around the world for more than a year.
Lehrman said, via Sky News’ report, “We did not have anyone who hacked into our system” and described a “pretty intense network of cyber fraudsters working in concert with one another.”
"The arrests today relate to fraudulent transactions that were detected on existing Stubhub customer accounts in 2013," said spokesman Glenn Lehrman.
Passwords from previous data breaches
"These legitimate customer accounts were accessed by cybercriminals who had obtained the customers' login and password either through data breaches of other websites and retailers, or through the use of key-loggers and/or other malware on the customer's own PC.
"Once fraudulent transactions were detected on a given account, customers were immediately contacted by Stubhub's trust and safety team, who refunded any unauthorised transactions."
Money was laundered through UK bank accounts from the hacked Stubhub accounts, Lehrman said, according to SC Magazine’s report.
The use of credentials stolen in data breaches highlights the importance of changing details if you suspect your password and username may have leaked in such an attack. AN ESET guide to what to do in this event can be found here.