Thousands of PayPal accounts breached in credential stuffing attack

midian182

Posts: 8,495   +105
Staff member
What just happened? PayPal is informing thousands of users that their accounts were breached last month after hackers used a credential stuffing attack. It's estimated that the personal information of almost 35,000 people was exposed in the incident.

PayPal says the accounts were accessed by unauthorized parties who were able to guess user credentials, most likely by utilizing massive data leaks from other sites. It highlights the dangers that come from people re-using their login username/password combinations across multiple websites. Password recycling is still concerningly common and can be avoided by using a good password manager.

This type of attack gets its name from the bots that run lists of credentials into sites, stuffing login portals until they gain access. PayPal says the attack took place between December 6 and December 8, 2022, affecting 34,942 customers. The company stresses that the incident was not due to a breach of its own systems and there is no evidence that the user credentials were stolen from any PayPal systems.

The accessed information included customers' names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth. PayPal said it has no information that any of this data has been misused. Notably, there's no evidence of unauthorized payment transactions on the breached accounts.

PayPal said it promptly launched an investigation once the unauthorized access was discovered. It also took steps to prevent further customer information, likely payment and account details, from being stolen. The company reset the passwords of impacted accounts and "implemented enhanced security controls."

These incidents usually involve the victim company informing law enforcement, but The Reg reports that PayPal has not involved the police. The publication asked PayPal why but it never answered.

PayPal says it will offer customers two years of identity monitoring from Equifax, a company that is no stranger to data breaches (and once sent out incorrect credit scores). The payments giant also advises impacted users to activate two-factor authentication (2FA) protection on their accounts and change any recycled PayPal credentials used on other websites or services.

Permalink to story.

 

madboyv1

Posts: 1,828   +763
I've got MFA enabled and did not get any PIN requests, so I was one of the many lucky that avoided exposure.
 

Plutoisaplanet

Posts: 896   +1,426
From the headlines Paypal's security is 1000x better, but Paypal also was the one to have leaked more sensitive information:
 

envirovore

Posts: 557   +1,025
TechSpot Elite
Ouch. PayPal, a secure payment service, is nothing if you can't trust them with your data or to act appropriately when things go wrong. This is a bad day for them.

Anyone who isn't using 2FA with them really should be.

Being that this hijack was due to people reusing the same passwords with same emails across sites for login info, and PayPal themselves were not compromised, how is it PayPal's fault, or not possible to trust them any longer.
As far as their end was concerned, a user logged in using their standard credentials, which gives said user access to all their account settings and stored information...just like any other site does once you log in.
How are they supposed to verify it's the correct user and not just someone trying a bunch of email/password combos from other compromised sites?

But indeed, always opt for 2FA, preferably with an authentication manager. That alone would have prevented this from happening for those users that were compromised, and pretty much the only way to verify that 'yes, this is indeed the correct user'.
 
Last edited:

m4a4

Posts: 3,184   +4,271
TechSpot Elite
Yeah...... how are so many people implying this is a fail on Paypal's end? The credentials used for the accounts were correct. And they'd be protected if they had MFA enabled.

At the least, these people should've not been so lazy when it comes to important credentials like this.
 

wiyosaya

Posts: 8,430   +7,877
Password recycling is still concerningly common and can be avoided by using a good password manager.
IMO, using a password manager is a highly questionable endeavor these days with multiple password managers being hacked recently. I think its a better strategy to use an anonymous mail service like https://www.sneakemail.com and generate a new e-mail for EVERYTHING you sign up for on the web. There are the few JA sites that won't accept obviously randomized e-mail addresses, however, IMO, that is entirely lame since any e-mail address could be used for illegitimate purposes. I'd guess that such a strategy is much more secure than a password manager - even if you reuse a password across multiple sites.
 

AxelAminoff

Posts: 12   +13
Yeah...... how are so many people implying this is a fail on Paypal's end? The credentials used for the accounts were correct. And they'd be protected if they had MFA enabled.

At the least, these people should've not been so lazy when it comes to important credentials like this.
Good, blame the victims.
 

Kashim

Posts: 207   +262
Good, blame the victims.
Good, play the victim game.

You use the same login/password on multiple sites. Then one of those sites gets hacked and they use your credentials on PayPal or some other site. And this is somehow PayPal's fault and makes you the victim?