Authorities in the United States, the United Kingdom and Canada have made arrests of six individuals who are alleged to have breached accounts at eBay’s ticket reseller StubHub.
The breach was first discovered by StubHub in March 2013. StubHub identified that more than 1,600 of its user accounts had been compromised and that account holders’ credit cards were used to fraudulently purchase tickets for various events, including a Justin Timberlake concert and New York Yankees baseball games.
The attackers moved money and operated in the United States, the United Kingdom, Russia and Canada. One of the alleged attackers, Vadim Polyakov, was arrested in Spain by U.S. Secret Service agents working with Spanish authorities. The other defendants are New York resident Daniel Petryszyn, New Jersey residents Laurence Brinkmeyer and Bryan Caputo, and Russians Nokolay Matveychuk and Sergei Kirin. Charges against the defendants include identity theft, money laundering and grand larceny.
“Cybercriminals know no boundaries—they do not respect international borders or laws,” Manhattan District Attorney Cyrus R. Vance Jr. said in a statement. “Today’s arrests and indictment connect a global network of hackers, identity thieves, and money-launderers who victimized countless individuals in New York and elsewhere.”
Vance added that the coordinated actions of law enforcement in the United States, the United Kingdom and Canada demonstrate what can be achieved through international cooperation.
In a statement, StubHub stressed that its financial systems were not breached and the user accounts were taken over via other means.
“Legitimate customer accounts were accessed by cyber criminals who had obtained the customers’ valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers’ PC,” StubHub stated.
The StubHub incident and arrest is seen by at least one security expert as yet another sign of the trouble with the current usage of passwords. Phil Dunkelberger, CEO of Nok Nok Labs, noted in an email to eWEEK that the fraudulent purchases made on StubHub using stolen usernames and passwords are just the latest example of one of the key problems in online security—password reuse.
“When someone reuses a password across multiple sites, it is only as strong as the weakest link,” Dunkelberger said. “By using the same password to access your local pizza delivery account as you use to access your bank account, or in this case your StubHub account, you can have serious implications for financial or other sensitive data.”
The risk of password reuse was also highlighted by Eric Cowperthwaite, vice president of Advanced Security and Strategy at Core Security. The fact that many individuals reuse the same passwords across multiple sites makes it easier for attackers to exploit those users.
“People need to protect themselves and the companies they do business with by using unique, complex passwords on each system,” Cowperthwaite stated. “It’s especially important to make sure email and financial account passwords are different.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.