How My StubHub Account Got Hacked

It was a Tuesday night around 9pm. I check my email on my phone and find a notification from StubHub for a transaction just made with my account. It just looks like a classic phishing email for 2 tickets to the Hawks vs. Cavs game in Atlanta (which the Cavs won) for $913.20. I was about to delete the email and move on but something caught my interest. What if I actually got charged for this? Was my StubHub account hacked?

So I then went through all of our business accounts and credit cards to verify if any transaction had taken place with them. Nothing. Then I checked my personal credit cards and bank accounts. Nothing. Okay I was safe right? Then, I decided to login to my personal Paypal account just to check, and sure enough a transaction for $913.20 had just taken place. A transaction that seemed to have connected right to my bank account. The next day $913.20 was pulled out of my bank account from Paypal.

How did my Stubhub account get hacked?

So it was one thing to get my Stubhub account hacked, I mean this isn’t the first time that Stubhub has been hacked. But what about my Paypal? This didn’t make any sense. I have an extremely strong password with two factor authentication enabled. I did not see any reset emails in my email, no attempts at turning two factor authentication off, and have a very strong password. None the less, I changed my passwords and verified everything is setup correctly on Paypal to protect from unauthorized use.

So I started to investigate just how this all happened. Did someone grab the password hash from Stubhub? I wasn’t phished. Did I have malware on my machine or maybe even a key logger? (Since then I have already re-imaged my machine clean) So after some searching I finally got to the bottom of what happened. If you have ever connected your Paypal account to Stubhub in the past, it is actively connected to make any transaction at all times. Anyone with access to your StubHub account can instantly make any purchase for a ticket as long as someone has access to your StubHub account. So forget any type of authentication on your Paypal account, once it’s connected it is there forever with no authentication when making a transaction.

I also found out that the only way to remove your Paypal account is to call StubHub and have someone manually remove it. You cannot perform this function online since I asked specifically if there was a way to do this. You also cannot remove a credit card from your account either and need to call in for removal. For such a consumer focused app, you would think they could have this functionality available to their users.

How did StubHub respond?

StubHub sent my case over to their Trust and Safety department. I received no response for several days and decided to call them. The customer service rep notified me that I cannot speak with anyone in that department and that they are still working on the case. He claimed he had no other information available for me and they would call me within 24 hours. Still no call. Then, several days later I get the following email:

Dear Nicholas,

Upon review of the charges on your PayPal account tied to e-mail (my email address) StubHub! has determined this to not be a fraudulent transaction. StubHub.com is not responsible for unauthorized use of credit cards by family members, co-workers or acquaintances.

Order 193179542 is for the Cleveland Cavaliers at Atlanta Hawks Tickets on 4/1/2016 (2 tickets for a total cost of $912.20). This order was purchased off of your StubHub! account tied to e-mail (my email address) and your PayPal account was added to the account to place this order.

We are unable to issue a refund for these charges, but we are able to switch the charges to a different credit card with proper authorization. If you would like to submit a police report or court decision showing this was a theft and not an unauthorized purchase we would be happy to review the charges again. Without these documents StubHub will be unable to issue a refund.

Alternatively, we can work with you to resolve this issue if the tickets were purchased by mistake or by a friend or relative. Please contact our Customer Service department at (866)-788–2482 and one of our representatives will assist you with several different options such as relisting the tickets for sale.

Please feel free to contact us if you have any further questions regarding this issue.

Sincerely,

John
StubHub Trust and Safety

“Awesome StubHub can help me sell stolen tickets to someone else which I never bought.”

I even looked around on StubHub and found someone selling tickets in that exact row and section stating “these seats typically go for over $900 a pair, but I will let them go for $300.”

How did I respond?

Besides cleaning up my online accounts, changing passwords, and investigating what happened I notified PayPal immediately. PayPal had the case open for a couple of days and then responded back with a credit back to my account for unauthorized use of my PayPal. So I went and called StubHub and told them what happened. I asked to remove my Paypal account, credit cards, and shut down my account. Surprisingly it was easy to get access to my account I just needed to tell them an email address and a zip code. I actually told them I forgot my zip code and asked if they could tell me which they had one file. The agent happily read it out which I responded “Oh yea that’s the one.” They also gave me access to credit card accounts and addresses when I couldn’t “remember” them. I asked if they could remove all of them from my account. I did all of this to verify how weak StubHub’s verification method is for account information access.I probably could have even changed the password, addresses. billing information, or practically anything else over the phone at this point but figured I had already gone too far.

Takeaway

Everyone is at risk of getting hacked, it even happens to the best of us. What is important to know is how to recover from one and having a plan to respond when it happens to you. Even with the strongest password and controls in place, we are all still at risk. As the CEO of a cyber security company, I am in the spotlight for attacks against my online accounts daily. I am very cautious on what I do online and how I manage my online accounts and you should be too.

It’s important to note that the average user has almost 30 unique online accounts with passwords sitting all over the place. Take some time to do some password hygiene this quarter and clean up your online accounts. Turn on two-factor authentication if it is available on every one of your online accounts. Finally, if you have Stubhub, delete your account immediately until they fix their vulnerabilities. I say this for the best interest of the community and hope this pushes StubHub and similar companies help protect their customer’s data.

This article orginally appeared here on the Curricula security awareness blog. If you haven’t experienced Curricula’s security awareness training yet, check out www.getcurricula.com and request a free demo account.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.