The StubHub Ticket Heist: When Cybercriminals Outsmarted the Entire Concert Industry with Basic URL Tricks

Written By Noel Bradford

Want to Steal £500,000 Worth of Taylor Swift Tickets? All You Need is a Dodgy URL and Some Nerve

In what can only be described as the digital equivalent of lifting a handbag off a park bench, two enterprising criminals — Tyrone Rose and Shamara Simmons — managed to steal and resell 900 concert tickets, raking in over $600,000. Their target? StubHub. Their method? Grabbing ticket URLs and reselling them like they were flipping gig tickets outside Wembley.

This isn’t hacking. This is what happens when a multi-billion-dollar platform decides that a URL — the same thing you copy and paste into Slack — is good enough to protect high-value digital assets.

How They Pulled It Off

It works like this:

  1. A legitimate buyer purchases a ticket through StubHub.

  2. That ticket generates a unique URL — the digital key to the event.

  3. The URL gets intercepted or stolen.

  4. The criminals resell the URL to someone else.

  5. The new buyer uses the same URL to enter the event — because apparently StubHub’s idea of security is “whoever holds the link, holds the ticket.”

The Real Crime; Terrible Security Design

This isn’t some zero-day exploit or elite state-sponsored hacking. This is basic web insecurity at a level that would make a junior developer blush. Ticketing systems should bind tickets to verified accounts, require multi-factor confirmation, and have actual checks at the door. Instead, StubHub (and apparently half the industry) built a system where a single URL is your ticket — no further questions asked.

If your business handles digital assets worth hundreds of pounds each and you protect them with a single URL, you’re not running a platform — you’re running a really expensive version of WeTransfer.

The Scale; Taylor Swift and 900 More Tickets

This isn’t just some obscure gig in the back room of a pub. This included Taylor Swift’s Eras Tour — one of the most in-demand events on the planet. When 900 stolen tickets ended up in the hands of buyers who had no idea they were buying stolen goods, the only surprising part is that it took this long for someone to figure out how easy this was.

The Real WTF Moment; StubHub Knew This Was Possible

Let’s be clear — this isn’t the first time URL-based ticketing has been exploited. Researchers have been yelling about this for years. The fact that two amateurs could exploit it at scale proves one thing: nobody in ticketing took security seriously enough to fix it.

This Isn’t Just StubHub’s Problem

If your business handles any asset via URL alone, congratulations — you’re a target too. Whether you’re delivering:

✅ Gift cards
✅ Digital downloads
✅ Event registrations
✅ Membership passes

If all it takes to claim the asset is “having the link”, you’re inviting exactly this kind of fraud. And if you think “but we’re not StubHub, nobody will target us,” remember that cybercriminals automate this stuff. They scrape links, run bots, and sell access to anyone willing to pay.

What Should StubHub (and Everyone Else) Be Doing?

Tie Tickets to Verified Accounts
A URL is not an identity check. Tie tickets to actual, verified users — with MFA required at collection and entry.

Detect URL Sharing
If a ticket link gets accessed from five different devices in five minutes, maybe, just maybe, that’s a clue something dodgy is happening.

Require ID at the Gate
If physical venues demanded ID matching the ticket holder’s verified account, the resale market dies overnight.

Stop Thinking URLs Are Secure
They’re designed to be shared, not treated as high-security credentials. This is basic web security from 2005 — fix it.

Why This Matters to Every Business (Not Just Ticket Sellers)

This is a cautionary tale for anyone who builds convenience at the expense of security. Whether you’re selling:

  • Tickets

  • Coupons

  • Digital content

  • Anything else that lives behind a link

If the link is the only thing standing between you and fraud, you’re one step away from being the next headline.

Audit Your Own Links Today

If your platform relies on magic links to deliver anything valuable, go fix it today. Review your access controls, link lifespans, account binding, and fraud detection — because if two random ticket scalpers can pull off a £600k heist this easily, so can literally anyone with a Wi-Fi connection and half a clue.

Source Description Link
Cybernews Original reporting on StubHub ticket theft and arrests Cybernews Article
BleepingComputer Additional coverage and technical explanation BleepingComputer
SecurityWeek Analysis of the incident and wider industry implications SecurityWeek Article
Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

ChatGPT Operator Data Leak – Why Your AI Assistant Can’t Keep a Secret
Next

Silk Typhoon Supply Chain Attack: How Crap MSPs Sell You Out for £20 a Month