Posted on January 22, 2023 at 5:52 AM
Data breach notifications are being sent to thousands of PayPal users. These users had recently seen their accounts accessed by a vicious credential-stuffing attack that struck the platform, exposing the personal data of some users.
Credit Stuffing Attacks
Credential stuffing attacks in and of themselves are when hackers utilize username/password combinations sourced from various data leaks in quick succession to try and gain access to an account. Typically this relies on previous data leaks, banking on the fact that people tend to be too lazy to change their passwords as the months and years drag on
This stands as one of the more automatic attacks, as bots are typically used to rapidly insert the credentials and report which ones score a hit. These bots typically target a number of services at once in a bid to score as many hits as possible, using the strategy of a shotgun instead of a hunting rifle.
Reliance On Human Habit
As for who is vulnerable, credential stuffing attacks typically target those that utilize the same username/password combination across multiple accounts. According to the BleepingComputer report, shy of 35,000 individuals fell victim to this habit and subsequently fell victim to this latest data breach.
PayPal had reported the time of the credential stuffing occurred on the 6th and 8th of December of 2022. The report states that PayPal had successfully detected and stopped the credential stuffing attack. An internal investigation was done shortly after to determine how these threat actors managed to gain access to the accounts.
Proving Their Own Innocence
It was on the 20th of December, 2022, when PayPal finished the investigation. The result was that these unauthorized third parties had access to the valid credentials during their credential stuffing attack.
PayPal was quick to cover itself, though. The payment firm made it clear that their own systems were not breached in this attack. They further claim that they have found no evidence that would imply that the credentials used in the attack were sourced directly from PayPal’s own systems, effectively pardoning them from how the attack happened in the first place.
The reported data breach shows that a total of 34,942 users were affected. PayPal stated that hackers were capable of accessing dates of birth, full names, social security numbers, postal addresses, as well as tax identification numbers of those affected by the hack.
According to PayPal, it had taken “timely action” to limit the access of the intruders to the platform, and had reset the passwords of those accounts it could determine to have been breached.
PayPal further claims that they hold no information that suggests that the information stolen in the data breach had been misused at this time. Furthermore, PayPal detected no unauthorized transactions on any of these accounts.
Compensation And Urges For Safety
To try and apologize for the event, PayPal is offering those affected a two-year identity monitoring service courtesy of Equifax.
PayPal has strongly recommended the users affected by the data breach to change their login details to change their passwords on various other platforms, as well. They further recommend the use of a long, unique string for each of these platforms, citing that a good password is a minimum of 12 characters long, containing alphanumerics and symbols.
Another recommendation coming from PayPal is that these users activate their two-factor authentication wherever it is possible. This helps further prevent these attacks from occurring due to the higher level of complexity needed to breach the account. It allows these malicious actors to be blocked even if they manage to acquire the proper credentials.
Time will tell how this data breach will affect the people at large. PayPal had done its due diligence, warning those that were affected by the data breach and further urging them to take the necessary steps needed to protect themselves in the future. The cybercriminal space is in a constant state of evolution and innovation as they try to keep up with the counters developed by the cybersecurity space.
Recently, Microsoft OneNote has been subject to this innovation. When Microsoft finally patched the exploits malicious actors used to breach systems via phishing attacks, they adapted by discovering new ways. It’s a constant struggle from both sides as they innovate to get one over the other. As long as there is a need for computer systems, there will be cyber criminals. As long as there are cybercriminals, cybersecurity experts will work towards thwarting their systems. It’s a dance that won’t end any time soon.