PayPal gets stuffed by large-scale credential attack
Yesterday PayPal began sending out data breach notifications to thousands of its users who have had their accounts accessed via credential stuffing attacks which exposed some personal data.
BleepingComputer reports that almost 35,000 accounts were compromised in the attack which took place between December 6 and December 8, 2022.
PayPal says it has taken action to limit intruders access and to reset the passwords of breached accounts. "We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account," reads the company's notice to affected users.
Sam Curry, chief security officer at Cybereason says, "Part of the beauty of payment systems is their simplicity and ease of use: there are as few 'clicks' as possible or challenges added to the purchase flow. However, there are only a few solutions to this that PayPal can attempt. Firstly, they can add multi-factor authentication, either the addition of a challenge or the instrumentation of non-interruptive authentication factors. To some degree they do this, but the mere success of 35,000 compromises would indicate improvements could help. Secondly, the company can also add more analytics to look at exploitative patterns, although this will have a limited effect since attackers can simply slow down and change patterns for stuffing fairly simply from an operational perspective. In the end, though, users have to participate in their own rescue to some degree and rotate passwords, use password vaults, use unique passwords and so on; so finally PayPal can have a program to help users do this beyond mere credit watching."
Patrick Wragg, cyber incident response manager at Integrity360, agrees that users need to step up their own security efforts, "Falling prey to credential stuffing (as reported) highlights the significance of a robust MFA (Multi-Factor Authentication) solution. Every credential stuffing incident the IR team at Integrity360 comes across shows that victims are still choosing passwords that are easy to remember (and therefore guess). Adding the extra security step that is MFA means that password strength is not the only hurdle attackers have to cross."
Julia O'Toole, CEO of MyCena Security Solutions, highlights the role of data taken from the Dark Web:
This is yet another credential stuffing attack that has been announced in the last few days, and it once again shows how attackers constantly scrape data from the Dark Web to exploit compromised information further.
PayPal has stated that it has no evidence of user accounts being used maliciously, but this should provide little comfort for victims. The attackers can now target these victims with phishing emails and identity theft scams and use those passwords again on other sites.
PayPal urges users who have received a notification that their account has been breached to change the passwords for their other online accounts and to enable 2FA on PayPal from the Account Settings menu.