Authorities in three countries have made seven arrests and handed down three additional indictments related to the StubHub cyber-theft case.
StubHub, which is owned by eBay, is an online secondhand marketplace dedicated to the resale of concert and other event tickets. On Tuesday, July 22, an unnamed law enforcement official said (and a StubHub spokesperson later confirmed) that authorities had discovered over 1,000 StubHub user accounts had been compromised, and used to fraudulently buy or sell tickets.
The thieves never actually managed to break into the StubHub database itself. Instead, they stole customers' password and login information from other sources — either hacking into less-secure retailer databases, or even installing keylogging malware on victims' personal computers.
Incidentally, this explains why “Don't use the same password across multiple accounts” is a standard online security rule; otherwise, a thief who hacks into one of your accounts also gains access to any additional accounts using the same password. That's what happened with the StubHub accounts.
Late on July 23, the office of Manhattan District Attorney Cyrus Vance, working with the Royal Canadian Mounted Police and police for the City of London, published a release announcing indictments against six people, in an international theft ring with members in Russia, Canada, the U.S. and the U.K. The suspects include three Russian nationals (Vadim Polyakov, Nikolay Matveychuk and Sergei Kirin) and three Americans (Daniel Petryszyn, Laurence Brinkmeyer and Bryan Caputo).
By the next morning, authorities in London, Toronto, New York State and Spain had all made arrests related to the case; as of Thursday afternoon, the number had increased to seven arrests, plus three indictments with arrests presumably forthcoming.
The total number of compromised StubHub accounts was just over 1,600. The thieves used those accounts to buy 3,500 tickets to expensive, high-demand events; DA Vance's office said these included “concerts featuring Elton John, Marc Anthony, Justin Timberlake and Jay-Z; athletic events including Yankees baseball games, Giants and Jets football games, Knicks and Nets basketball games, Rangers hockey games, and the U.S. Open; and Broadway shows, such as Book of Mormon.”
The tickets were then re-sold, with the money diverted into various PayPal accounts, or German and British bank accounts, which the thieves controlled. In all, the thieves managed to defraud StubHub customers of over $1 million.
StubHub, however, has reimbursed the affected customers rather than make them absorb the costs themselves.