Despite PayPal’s systems remaining secure, hackers were able to compromise nearly 35,000 PayPal user accounts between December 6th and 8th by using “credential stuffing.” The credential stuffing technique allows attackers to use previously leaked login information to access Paypal accounts.
Credential stuffing occurs when an attacker uses stolen account credentials from one breach. The hackers attempt to access other accounts or services using the same passwords across multiple platforms. This type of attack heavily relies on automation tools. The attacker tests thousands of usernames and passwords to determine which ones work.
Personal Information of 35,000 Accounts Compromised
Hackers gained access to account holders’ full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers during the breach. Furthermore, transaction histories, linked credit or debit card information, and Paypal invoicing data were also part of the incident.
Paypal says the intrusion stopped within two days of the report. They reset the passwords for affected users. They further added no unauthorized transactions happened. PayPal also provides affected users with two years of free Equifax credit monitoring.
PayPal might not have been hacked, but it isn’t entirely without blame. Baber Amin, the COO of Veridium, told PCWorld:
“As trusted vendors, PayPal and others need to set a higher bar here. Vendors should implement:
Processes to monitor and identify anomalous behavior, like the vast number of login failures from a credential stuffing attack. There are multiple tools and services that can do this now. For PayPal to take multiple days to catch this should not be acceptable.
Actively encourage customers to use two-factor authentication, and not just provide it as an option.
Gizchina News of the week
Actively eliminate passwords from their user-facing systems by fast tracking Fido Passkey adoption.”
Rafay Baloch, a well-known Pakistani security researcher, believes Paypal’s response to this incident was prompt and appropriate.
He stated “Paypal’s prompt response to the incident, as well as their efforts to notify affected users and provide credit monitoring services, demonstrate that they take the security of their users’ data seriously. Users must understand that no system is completely secure, and they must take responsibility for their own security by using unique and strong passwords and enabling two-factor authentication wherever possible.”
Furthermore, Baloch believes that vendors should actively encourage customers to use two-factor authentication rather than simply offering it as an option. He believes vendors should actively remove passwords from user-facing systems by accelerating Fido Passkey adoption.
How to Keep Your Account Safe from Credential Stuffing Attacks
To begin with, you should never use the same password for multiple accounts. This is especially true for accounts that store sensitive personal or financial information, such as PayPal. You can use a password manager if you don’t want to remember a different password for each site.
To stay safe, I use 4 letters that are different for each site where I have an account. How about “password!@gl” for Gmail and the “password!@gl” for Facebook? It’s a really simple method that helps you stay safe online.
Another important step to take is two-factor authentication (2FA). This option can be found in PayPal’s Account Settings menu and is a great way to make your account even more secure. Even if a hacker obtains your password, they will be unable to access your account unless you enable the second verification step.