A Blue Jays fan had his tickets stolen online. Here’s how to prevent it from happening to you

[

A Toronto Blue Jays fan is warning others to be vigilant after expensive tickets he bought for his parents were stolen from his online account. 

James Somersett said he and his girlfriend saved up to get his parents seats just nine rows from home plate to watch the Jays take on the Chicago White Sox on June 21. 

Somersett bought them on StubHub, the ticket reselling platform, but was worried his parents weren’t tech-savvy enough to use the tickets on their phones. So, he called the Blue Jays box office to make sure they could get physical tickets on game day.

But as he was calling to double-check everything was a go, someone was busy stealing the tickets. 

His StubHub account’s password was reset and shortly after his parents’ tickets were transferred out of his account for $0 to someone named soccer3921@mail.com

Somersett didn’t discover this until his parents arrived at the Rogers Centre on game day, leading to a moment of panic and Somersett shelling out $600 for two more seats.

“They deserved this day. And it sucked. It was almost taken away from them,” Somersett told CBC Toronto.

Two cybersecurity experts said it certainly appears Somesett was hacked, though it would take a forensic investigation to figure out who the culprit was. They also say his case is a lesson in keeping online tickets safe and another warning to Canadian fans that online platforms like StubHub aren’t doing enough to protect them. 

StubHub, Blue Jays step up after CBC inquiries 

Somersett reached out to CBC Toronto after striking out while trying to get a refund from StubHub, something he was confident would happen when he bought a second set of tickets.

Instead, StubHub emailed him July 1 to say they “do not believe any third party successfully accessed [his] account” and “did not find any suspicious activity.” 

James standing between his parents with his arms around them
Somersett said his parents, Paul and Lorna, would never miss watching a Blue Jays game at home. (Submitted by James Somersett)

They then recommended he take action, like changing his password, to secure his account. 

“They just brush it off like it’s no big deal,” Somersett said. 

A day after CBC Toronto reached out, a Stubhub spokesperson said they will process a full refund for Somersett along with a coupon worth 25 per cent of what he spent on the tickets. 

“His experience did not meet our usual standards. We have confirmed his account has been secured,” said Rachel Murray in a statement. 

The Blue Jays organization told CBC Toronto it is offering Somersett two tickets to a future game after it reviewed the situation and found that its box office representatives should have spotted the tickets weren’t in his account when he called in June. 

How thieves broke in 

The tickets, Somersett knows now, were stolen on June 19. Somersett said he’s spent the weeks since trying to figure out what went wrong. 

On June 13, Somersett started getting emails from StubHub saying someone requested to reset his password.

But the emails state, if he didn’t make the request “you can ignore this email. Your StubHub account is safe.”

This was probably the moment Somersett’s account was being taken over by a fraudster or bot, according to cybersecurity expert Claudiu Popa.

Popa, who co-founded the KnowledgeFlow Cybersafety Foundation, said “credential-stuffing” bots account for up to 70 per cent of retail-site account takeovers in Canada – often taking advantage of passwords or other information that’s leaked online. 

If Somersett used the same passwords across different platforms – something he said he sometimes does – that might have been enough for bad actors, according to Evan Light, an associate professor of policy studies at the University of Toronto. 

A man at an office in a blue shirt.
Evan Light, an associate professor of policy studies at the University of Toronto, says the onus should be on StubHub to ensure people’s accounts are secure. (Robert Krbavac/CBC)

He said the most likely scenario is that someone gained access to Somersett’s email account and used it to reset his StubHub password — which can be done without two-factor authentication or security questions, something he thinks the reseller should be mandated to require.  

“Stubhub has a massive security hole,” Light told CBC Toronto after reviewing the company’s initial email assuring Somersett his account was safe. 

Light says despite the company having some safeguards, it should do more to protect its customers.  

“You can make it work. I think companies just need to care,” Light said.

Somersett said he’s learned a lesson about keeping his digital accounts secure, but remains frustrated with StubHub. He did thank the Jays for the ticket offer, calling the offer “amazing.”

Here’s how Popa recommends protecting yourself against a situation like this:

  • Change your passwords after big public leaks.

  • Use an app-based multi-factor authentication tool for any ticketing sites.

  • Consider using a single-use “virtual credit card” for ticket purchases.

  • Verify ticket transfers before you call the box office and get proof of ticket transfers from whoever you buy from.

  • Use mobile e-tickets with in-app delivery when possible.

Leave a Comment