PayPal has sent out data breach notifications to thousands of its users who had their accounts accessed through credential stuffing attacks that exposed some personal data. Credential stuffing attacks are when hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.
This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services.Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."
PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.
According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. Transaction histories, connected credit or debit card details, and PayPal invoicing data were also accessible on PayPal accounts.
We heard from cyber experts, who shared their perspectives on the PayPal data breach, mitigations for affected users, and best practices for organizations to thwart similar threats moving forward. Ted Miracco, CEO, Approov:
“We are not witnessing the death of password technology, but what we are witnessing (again and again) is the death of the naïveté and wishful thinking that surrounds any technology built on the premise that a single authentication source is a good idea. We have rushed to embrace SSO technologies without fully considering the obvious major disadvantage is that it constitutes a single point of failure, as the compromised password lets the intruder into all areas open to the password owner, and in the case of PayPal the consequences might be quite high for those that built their trust into these systems without additional safeguards like 2FA or hardware authentication.” Timothy Morris, Chief Security Advisor, AMER, Tanium: "This is a prevailing issue where users are using the same id/password combinations for multiple sites and applications. Credential stuffing is successful because many of those combinations are on the dark web from previous breaches. These types of attacks can be prevented by enabling 2FA or MFA. The information that apparently has been gleaned from this attack could be used for identity theft. The thieves could also sell the information in underground forums to quickly monetize their plunder. Affected users should monitor their credit reports and use the fraud alert services provided by the major credit reporting services. Also, they should enable strong multi-factor authentication (MFA) for all systems. Strong MFA includes the trifecta of something you:
Have (token, key)
Baber Amin, COO, Veridium: "Another day, another credential stuffing attack. We are starting to see a pattern here, as consumers create more accounts and resuse or recycle their passwords. As consumers we need to take responsibility to safeguard our accounts, and practice good security. This includes:
Don’t reuse or recycle passwords (to be fair, this could be hard to do for most folks as the number of online accounts continue to mushroom)
Enable two factor authentication on any account or service that offers it as an option. This is your first line of defense.
As trusted vendors, PayPal and others need to set a higher bar here. Vendors should implement:
Processes to monitor and identify anomalous behavior, like the vast number of login failures from a credential stuffing attack. There are multiple tools and services that can do this now. For PayPal to take multiple days to catch this should not be acceptable;
Actively encourage customers to use two factor authentication, and not just provide it as an option.
Actively eliminate passwords from their user facing systems by fast tracking Fido Passkey adoption"