Thousands of PayPal accounts breached in credential stuffing attack

midian182

midian182

Posts: 9,734   +121
Staff member
What just happened? PayPal is informing thousands of users that their accounts were breached last month after hackers used a credential stuffing attack. It's estimated that the personal information of almost 35,000 people was exposed in the incident.

PayPal says the accounts were accessed by unauthorized parties who were able to guess user credentials, most likely by utilizing massive data leaks from other sites. It highlights the dangers that come from people re-using their login username/password combinations across multiple websites. Password recycling is still concerningly common and can be avoided by using a good password manager.

This type of attack gets its name from the bots that run lists of credentials into sites, stuffing login portals until they gain access. PayPal says the attack took place between December 6 and December 8, 2022, affecting 34,942 customers. The company stresses that the incident was not due to a breach of its own systems and there is no evidence that the user credentials were stolen from any PayPal systems.

The accessed information included customers' names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth. PayPal said it has no information that any of this data has been misused. Notably, there's no evidence of unauthorized payment transactions on the breached accounts.

PayPal said it promptly launched an investigation once the unauthorized access was discovered. It also took steps to prevent further customer information, likely payment and account details, from being stolen. The company reset the passwords of impacted accounts and "implemented enhanced security controls."

These incidents usually involve the victim company informing law enforcement, but The Reg reports that PayPal has not involved the police. The publication asked PayPal why but it never answered.

PayPal says it will offer customers two years of identity monitoring from Equifax, a company that is no stranger to data breaches (and once sent out incorrect credit scores). The payments giant also advises impacted users to activate two-factor authentication (2FA) protection on their accounts and change any recycled PayPal credentials used on other websites or services.

Permalink to story.

https://www.techspot.com/news/97325-thousands-paypal-accounts-breached-credential-stuffing-attack.html

 
I've got MFA enabled and did not get any PIN requests, so I was one of the many lucky that avoided exposure.
 
From the headlines Paypal's security is 1000x better, but Paypal also was the one to have leaked more sensitive information:
 
McMurdeR said:
Ouch. PayPal, a secure payment service, is nothing if you can't trust them with your data or to act appropriately when things go wrong. This is a bad day for them.

Anyone who isn't using 2FA with them really should be.
Click to expand...

Being that this hijack was due to people reusing the same passwords with same emails across sites for login info, and PayPal themselves were not compromised, how is it PayPal's fault, or not possible to trust them any longer.
As far as their end was concerned, a user logged in using their standard credentials, which gives said user access to all their account settings and stored information...just like any other site does once you log in.
How are they supposed to verify it's the correct user and not just someone trying a bunch of email/password combos from other compromised sites?

But indeed, always opt for 2FA, preferably with an authentication manager. That alone would have prevented this from happening for those users that were compromised, and pretty much the only way to verify that 'yes, this is indeed the correct user'.
 
Last edited:
  • Like
Reactions: Iceblazer, kiwigraeme, MakeMSGreatAgain and 1 other person
Yeah...... how are so many people implying this is a fail on Paypal's end? The credentials used for the accounts were correct. And they'd be protected if they had MFA enabled.

At the least, these people should've not been so lazy when it comes to important credentials like this.
 
  • Like
Reactions: MakeMSGreatAgain and envirovore
Password recycling is still concerningly common and can be avoided by using a good password manager.
Click to expand...
IMO, using a password manager is a highly questionable endeavor these days with multiple password managers being hacked recently. I think its a better strategy to use an anonymous mail service like https://www.sneakemail.com and generate a new e-mail for EVERYTHING you sign up for on the web. There are the few JA sites that won't accept obviously randomized e-mail addresses, however, IMO, that is entirely lame since any e-mail address could be used for illegitimate purposes. I'd guess that such a strategy is much more secure than a password manager - even if you reuse a password across multiple sites.
 
  • Like
Reactions: envirovore
m4a4 said:
Yeah...... how are so many people implying this is a fail on Paypal's end? The credentials used for the accounts were correct. And they'd be protected if they had MFA enabled.

At the least, these people should've not been so lazy when it comes to important credentials like this.
Click to expand...
Good, blame the victims.
 
AxelAminoff said:
Good, blame the victims.
Click to expand...
Good, play the victim game.

You use the same login/password on multiple sites. Then one of those sites gets hacked and they use your credentials on PayPal or some other site. And this is somehow PayPal's fault and makes you the victim?
 
You must log in or register to reply here.

Similar threads

midian182
PayPal is cutting 2,500 jobs globally in major workforce reduction
Replies
5
Views
238
masaaya4
M
midian182
Activision Blizzard investigates hacking campaign linked to cheat software
Replies
5
Views
168
Uncle Al
Uncle Al
A
23andMe is now blaming users and their recycled passwords for data breach
Replies
6
Views
307
mbk34
M

Latest posts

Back