Stolen Passwords At Core Of StubHub Breach, Company Says


Six men face money laundering, identity theft and grand larceny charges for their role in an international cybercrime ring that defrauded online-ticket reseller StubHub of $1 million, by purchasing thousands of fraudulent e-tickets to popular concerts, sporting events and Broadway shows.

Police charged Vadim Polyakov, 30, of Russia and Nikolay Matveychuk, 21, of New York for using stolen account credentials to access StubHub accounts and then using stolen credit card numbers to purchase more than 3,500 fraudulent e-tickets.  The tickets were to a variety of concerts featuring Elton John, Marc Anthony, Justin Timberlake and Jay-Z, according to Manhattan District Attorney Cyrus R. Vance, Jr., who announced the indictments Wednesday. Investigators believe the e-tickets were sent to a group of individuals in New York and New Jersey to be resold within hours of an event.

StubHub, a subsidiary of eBay, discovered the fraudulent purchases in March, investigators said. The men are believed to have obtained the usernames and passwords through either a data breach or the use of malware, StubHub said in a statement. Police believe the men also used new credit card information stolen from additional victims to circumvent security protocols within the accounts.  Once the fraud was identified, StubHub added security measures to prevent account hijacking.

[Related: 5 Ways To Avoid A Stolen Password Pitfall]

"Once fraudulent transactions were detected on a given account, affected customers were immediately contacted by StubHub's Trust and Safety team and refunded any unauthorized transactions," StubHub said in a statement. "We also assisted customers with changing their password to secure their account from further activity."

The other men being  indicted are believed to have played a role in a money-laundering scheme involving transferring the proceeds through a global network of people in the United States, United Kingdom, Russia and Canada. Daniel Petryszyn, 28; Laurence Brinkmeyer, 29; and Bryan Caputo, 29, are charged with reselling stolen tickets they received from Polyankov. The money made from ticket sales were then directed to multiple PayPal accounts controlled by Polynankov, investigators said.

Investigators traced the fund transfers from the PayPal accounts to Sergei Kirin, 37, a Russian national, who advertised money-laundering services online. Thousands of dollars were also split into separate payments and sent by wire transfer to other money-launderers in London, England and Toronto, Canada, investigators said.

Polyakov was arrested July 3 at a hotel in Barcelona where he was vacationing and is being extradited to the U.S. to face the charges. Authorities in London and Canada also made arrests of people associated with the money laundering operation. 

Stolen passwords are at the root of nearly every major data breach, according to forensics investigators and other security experts. It only takes seconds for an attacker to gain access to sensitive information protected by weak or default account credentials, according to the 2014 Verizon Data Breach Investigations Report.

The rising value of stolen account credentials has fed a litany of password breaches at online services, social networks and ecommerce sites. Ebay, which owns StubHub, reset the passwords of all 145 million users of its site in May following a security incident in which a stolen employee password led to a password breach and the personal information of account holders.

Technology alone cannot solve the issue, said Andrew Sherman, the security practice lead at New York City-based solution provider Eden Technologies. Organizations need to protect sensitive information and are starting to realize that system complexity leads to common configuration errors and weaknesses that lead to many security incidents, Sherman said.  But people and end users need to be better educated and the processes involved should be thoroughly documented to identify the weakest points in the system that pose the biggest risk, he said.

"Attackers have done a remarkable job of using social engineering to get users to run malware," Sherman said.

PUBLISHED JULY 23, 2014