PayPal: 35,000 customers breached in credential stuffing attack

PayPal accounts of 35,000 customers breached in credential stuffing attack

Image:
PayPal accounts of 35,000 customers breached in credential stuffing attack

PayPal has reset passwords on all impacted accounts

PayPal is sending data breach warnings to nearly 35,000 users whose accounts were compromised as a result of a widespread credential stuffing attack in December last year.

The company says the attack enabled hacker to access users' person details, including names, addresses, date of birth, tax identification numbers and social security numbers.

Unlike data breaches, credential stuffing attacks make use of credentials that are already available on the dark web.

Such attacks often rely on automation to compromise a user's account by using bots that have access to databases of usernames and passwords obtained from prior data breaches. These bots try the credentials at a variety of online services in the hope that users haven't recently updated their passwords.

PayPal claims that the account hack did not occur as a result of a breach of its systems, and that there is no evidence that the credentials were stolen directly from users.

PayPal uncovered the breach on December 20, finding that between December 6 and December 8, unauthorised persons were able to access certain PayPal user accounts using their login credentials.

The attackers could see and perhaps gain certain personal details during their unauthorised access.

In addition to users' personal details, PayPal accounts also store their transaction histories, linked credit or debit card details, and information on PayPal invoices.

PayPal launched an investigation after becoming aware of the unlawful access and took action to address the incident, including by taking measures to stop unauthorised actors from gaining more personal information.

It changed the passwords on all impacted PayPal accounts and put in place improved security measures that call for users to create new passwords when they log in to their accounts the next time.

PayPal said it has no evidence to suggest that the incident led to the abuse of personal information. It added that no transactions from the compromised PayPal accounts have been attempted or successfully completed by the attackers.

A total of 34,942 of PayPal's users have been affected by the incident, according to the company's data breach report [pdf].

Because users' names, birth dates, addresses and social security numbers may be used by hackers for a variety of purposes, PayPal is offering two years of free identity monitoring from Equifax.

Additionally, users are advised to implement two-factor authentication (2FA) for their accounts, which makes it much harder for hackers to access accounts even if they have the credentials.

People who use same passwords across many online sites are recommended to change to unique, secure passwords for each one. A strong password often has at least 12 characters, including symbols and alphanumeric characters.

Commenting on the incident, Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, said: "It is at least surprising why MFA authentication is not enforced by default for such a sensitive service as PayPal."

"Moreover, any unusual activity, such as login from an unknown location or new device should be rapidly reported to the user and the account may be temporarily suspended unless the user takes an action.

"Modern MFA technologies cost almost nothing to implement and should be enabled by default by financial service providers as a foundational security control. In the meantime, all users should urgently enable MFA everywhere, especially in view of the recent LastPass data breach."