StubHub’s Privacy Nightmare Means Scammers Take Root

Photo Credit: Redd Francisco

A new form of fraud appears to be targeting StubHub users who are both buyers and sellers on the platform—stealing tickets and racking up debt. Here’s how it works.

The fraudsters appear to be taking advantage of StubHub’s lack of actual privacy features, reverse engineering ‘obfuscated’ emails to assume control of the targeted account. Those who are targeted will wake up to an email stating that a StubHub representative has changed their email address—at the request of the scammers.

One user reporting the fraud says he attempted to purchase tickets while having active listings for other events on his account. “The ‘seller’ used the fake listing to get my email (required to transfer tickets) and then somehow got StubHub to update my account email address to theirs,” the user on reddit reports. “Once inside my account, they changed my phone number, dropped the prices on my active listings (likely buying them themselves) and instantly downloaded the tickets that were available for immediate delivery.”

When the aggrieved party contacted StubHub, the customer service rep informed them the account was frozen and would be for three of four days. “Fast forward to 9 am and I start getting charges on my credit card linked to StubHub, totaling thousands of dollars until the card maxed out. The hackers were buying tickets through my account, using my cards. So clearly my account wasn’t frozen like I was told.”

“At this point, I’m out over $10,000 and all they’ve told me is to wait and someone from the fraud team will call me back—they don’t even have a case or reference number for me,” the person continues. When asking customer service reps how it was possible for anyone to change the account email when they had two-factor authentication enabled—StubHub refused to answer. This isn’t the only instance of customer service-assisted fraud that appears to be rife on the platform.

“Same thing happened to us—also with 2FA and somehow the email was changed. Luckily we locked our credit cards before the person attempted charges but they tried multiple charges, tried to sell fraudulent tickets through our account and then changed the name of the account to ‘F*** you N***** as one final parting gift,” reads a reply to the original poster.

For anyone who uses the StubHub platform to buy and sell tickets at the same time, be wary. The way StubHub obfuscates email addresses between buyer and seller leaves the platform open to abuse because the platform only hides the portion of the email after the @ symbol. Since most people use free email providers like Gmail, this portion of the email is extremely easy to guess.