Nearly 35K PayPal Users Impacted by Credential Stuffing Attack

By Greg Tavarez, TMCnet Editor  |  January 20, 2023

More solutions to defend against cyberattacks are innovated regularly. That said, bad actors are more sophisticated, and one tactic they use is called credential stuffing. For those not familiar with the term, credential stuffing is when attackers use lists of compromised user credentials to breach a system.

The attack uses bots for automation and scale and is based on the assumption that many users reuse usernames and passwords across multiple services. From there, the attackers monitor for successful logins and obtain personally identifiable information from compromised accounts.

The information is retained for future use, such as phishing attacks or other transactions enabled by the compromised service.

PayPal is a recent victim of a credential stuffing attack, and the company is sending out data breach notifications to thousands of users who had their accounts accessed.

The attack occurred between December 6-8. The company did detect and mitigate it at the time, but also started an internal investigation to find out how the hackers obtained access to the accounts. PayPal (News - Alert) concluded its investigation by December 20 and confirmed that unauthorized third parties logged into the accounts with valid credentials.

PayPal’s data breach report states that 34,942 of its users are impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, Social Security numbers and individual tax identification numbers. Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.

PayPal says it took timely action to limit the intruders' access to the platform and reset the passwords of accounts confirmed to have been breached. Also, the notification claims that the attackers have not attempted or did not manage to perform any transactions from the breached PayPal accounts.

Impacted users are receiving a free-of-charge two-year identity monitoring service from Equifax. On top of that, PayPal urges notice recipients to change passwords for other online accounts using a unique and long string. If users use a similar password for PayPal as they do Google (News - Alert), for example, the attackers can access your Google account easily.

PayPal also advises users to activate two-factor authentication protection from account settings. Doing this prevents an unauthorized party from accessing an account, even if they have a valid username and password.

The PayPal credential stuffing attack is a reminder to utilize good password practices and activate stronger security options, even if it means taking a few more seconds each time when logging in. Most would rather do that than have their information stolen.




Edited by Alex Passett