StubHub the latest victim of cyber thieves

by. Nicole Reyes

Earlier this summer, I posted about hackers going after more than just payment data with their intrusions.  The recent news of StubHub’s run-in with cyber thieves is a perfect example of this desire for access to other types of accounts.  The online ticket reseller announced customer accounts had been hacked, and the criminals were able to buy tickets to events through the site using the stolen account information.

According to the announcement, more than 1,000 accounts were accessed fraudulently. The company said the hackers did not break through Stubhub’s own security. Instead, they obtained Stubhub usernames and passwords from other sources. These include the websites of retailers involved in their own data breaches and malware installed on victims’ computers. Because consumers often use the same login credentials for several sites, the thieves were able to apply the stolen usernames and passwords at Stubhub.

Company spokesperson Glenn Lehrman said, “The company detected the unauthorized transactions last year, began working with authorities and gave the affected customers refunds and help changing their passwords.”  Although StubHub is based in San Francisco, the case has apparent international reach. In fact, of the arrests made in the case, three were in London, and one was in Toronto.

This hack underscores the fact that attackers don’t have to breach your systems to gain access to your customers’ accounts. Vulnerabilities in your customers’ own systems and even poor personal security habits can open your online and mobile banking door just wide enough to let the criminals in.

continue reading »