The Internet was aflutter Wednesday with reports that eBay-owned ticket reselling marketplace StubHub was targeted by a ring of cybercriminals. If you only skimmed the headlines it might be easy to assume this was another case of a retailer whose networks were infiltrated, but according to the company and Manhattan District Attorney Cyrus Vance, the company's actual systems weren't affected. Instead, more than 1,000 users were the victims of "account take-over" fraud.
"Legitimate customer accounts were accessed by cyber criminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers' PC," a news release from the company explained.
According to the Manhattan Manhattan District Attorney's office, in March 2013, StubHub discovered that more than 1,000 user accounts were compromised, and pre-existing credit card information associated with the accounts was used to purchase tickets to concerts and sporting events. The fraudsters then allegedly sold the tickets locally in New York and New Jersey hours before the events.
StubHub notified authorities and took security measures to prevent the hackers purchasing more tickets, but investigators learned that the hackers were able to get around the added protocols by using new credit card information stolen from other victims. Authorities were able to track down the alleged fraudsters by tracing down the IP addresses used in the transactions as well as Paypal and other financial accounts controlled by the six individuals indicted as part of the cybercrime ring.
The hackers allegedly scammed StubHub out of $1 million through the scheme and undoubtedly it was an agonizing experience for the individual users who were affected. But in a world where hackers are breaking into major retailers and stealing the credit card information of tens of millions of customers, as happened with Target, the StubHub "hack" is more of a reminder that consumers should be vigilant about their own personal cybersecurity measures -- like scanning their computer for trojan malware that might spy on their keystrokes and remembering not to re-use passwords across services.
"Regardless of where the case originates, nearly every cybercrime case begins with similar breaches: a stolen password, unauthorized use of a credit card, or unaccountable charges on a personal statement, for example," Vance explained.
Correction: An earlier version of this story referred to Manhattan District Attorney Cyrus Vance as Manhattan Attorney General. We regret the error.