AP reports:
Cyber thieves got into more than 1,000 StubHub customers’ accounts and fraudulently bought tickets for events through the online ticket reseller, a law enforcement official and the company said.
Arrests were expected in a case that sprawled across international borders, said the official, who wasn’t authorized to discuss it ahead of arrests being announced and spoke on the condition of anonymity.
[…]
StubHub, which is based in San Francisco, said that the thieves didn’t break through its security — rather, they got account-holders’ login and password information from data breaches at other websites and retailers or from key-loggers or other malware on the customers’ computers, spokesman Glenn Lehrman said.
The company detected the unauthorized transactions last year, contacted authorities and gave the affected customers refunds and help changing their passwords, he said.
Read more on CP24.
So are you still re-using login credentials across websites? If StubHub is accurate in its claims about how the attack occurred, this sounds like most of the responsibility is not theirs. Could other authentication have prevented some of this? I’ll leave that to the security experts/professionals to debate, but as users/customers, we do need to look at our own behavior and whether we do enough to protect ourselves.