Six Charged in Connection with $1 Million StubHub Breach

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Manhattan District Attorney Cyber R. Vance, Jr., this week announced the indictment of six men worldwide in connection with the theft of personal and financial information from user accounts at eBay subsidiary StubHub.

In March 2013, StubHub discovered that more than 1,000 customer accounts had been compromised by attackers who used the breached accounts to purchase tickets without the account holders' authorization, then resold those tickets at a profit.

In a statement, StubHub noted that the account breaches were not the result of a compromise at StubHub itself. "Legitimate customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of keyloggers and/or other malware on the customers' PC," the company said.

Vadim Polyakov, 30, and Nikolay Matveychuk, 21, are charged with using stolen account information and credit card numbers to purchase more than 3,500 e-tickets for events ranging from Elton John concerts to Yankees baseball games.

Daniel Petryszyn, 28, Laurence Brinkmeyer, 29, and Bryan Caputo, 29, are charged with reselling stolen tickets they received from Polyakov and others, then delivering the proceeds of those sales to several different PayPal accounts as well as bank accounts in the U.K. and Germany.

Sergei Kirin, 37, a Russian national, is charged with receiving and laundering stolen funds from Petryszyn, Brinkmeyer and Caputo.

In connection with the same case, City of London Police detectives recently arrested three men, and the Royal Canadian Mounted Police arrested one man.

City of London Police Commissioner Adrian Leppard said in a statement that the indictment represents a milestone in the City of London Police's working relationship with the New York District Attorney's Office. "This is an important investigation, targeting cyber criminals who are believed to have defrauded StubHub out of $1 million, by hacking its United States customers' accounts to fraudulently purchase and sell tickets, and then laundered their criminal profits through legitimate UK bank accounts," he said.

Core Security vice president for advanced security and strategy Eric Cowperthwaite said by email that this incident should serve as a reminder of the risks of password reuse. "[I]dentity data is a target for the bad guys," he said. "Once they’ve acquired that data, they will use it to target other systems. Since most people use the same IDs and passwords across multiple systems, this bad guy strategy has a high likelihood of success."

"People need to protect themselves and the companies they do business with by using unique, complex passwords on each system," Cowperthwaite added. "It’s especially important to make sure email and financial account passwords are different."

Still, U.K. regulator Ofcom reported last year that 55 percent of adults use the same password for most, if not all, Web sites.

In previous articles, eSecurity Planet has examined five leading password managers, and three different types of enterprise password policy enforcement tools.