NEW YORK – Six people were indicted Wednesday in an international ring that managed to take over more than 1,000 StubHub users’ accounts and fraudulently buy tickets to prime events such as Jay-Z and Elton John concerts, a New York Yankees-Boston Red Sox game and Broadway shows, the Manhattan district attorney said.
Manhattan District Attorney Cyrus R. Vance Jr. said the thieves would then resell the tickets and split up the proceeds.
He said investigators pored over more than 1,600 compromised accounts to trace the accused thieves via Internet protocol addresses, PayPal accounts, bank accounts and other financial accounts around the world.
Money stolen in the scheme, in ticket value, was at least $1.6 million, he said.
In addition to the six people indicted in the New York City case, four others have been arrested internationally: three in London and one in Toronto, under charges in their respective countries, Vance said.
StubHub said it was alerted to “a small number of accounts that had been illegaly taken over by fraudsters” last year and the online ticket seller began working with authorities around the world.
StubHub, which is based in San Francisco, said that the thieves didn’t break through its security — rather, they got account-holders’ login and password information from data breaches at other websites and retailers or from key-loggers or other malware on the customers’ computers, spokesman Glenn Lehrman said.
“It is important to note, there have been no intrusions into StubHub technical or financial systems,” Lehrman said.
“We are pleased to be able to play a role in this effort as part of StubHub’s continuing commitment to maintaining safe and open markets for fans to buy and sell tickets.”
The company detected the unauthorized transactions last year, contacted authorities and gave the affected customers refunds and help changing their passwords, he said.
StubHub, owned by eBay Inc., is the leading digital marketplace for reselling concert, sports, theater and other tickets, offering brokers and fans a way “to buy or sell their tickets in a safe, convenient and highly reliable environment,” as its website pledges. The company, which serves as an official secondary ticket market for such entities as Major League Baseball, this spring unveiled plans to become an event producer itself, selling tickets to a handful of its own concerts.
In the last few years, major companies such as Target, LinkedIn, eBay and Neiman Marcus have been hacked. Target, the nation’s second-largest discounter, acknowledged in December that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend. Even Goodwill Industries Inc. found itself announcing last month that shoppers’ payment card data might have been stolen.
Ticket-sellers also have been targeted. The event ticketing service Vendini recently settled a class action lawsuit related to a data breach in 2013.
Since many people use the same passwords at multiple retailers, hackers who get hold of a password for one site often try it at another, Lehrman said.
Authorities generally advise consumers to protect against possible identity theft from such breaches by keeping close watch on their bank statements and using credit card monitoring services, among other tips.