Thousands Of PayPal Accounts Hacked—Is Yours One Of Them?
PayPal itself hasn’t been breached. but thousands of customer accounts have.
SOPA Images/LightRocket via Getty Images
According to a PayPal notice of security incident dated January 18, attackers got unauthorized access to the accounts of thousands of users between December 6 and 8, 2022. The total number of accounts that were accessed by threat actors using a credential stuffing attack is reported as being 34,942.
What is a credential stuffing attack?
A credential stuffing attack occurs when a threat actor uses an automated process to attempt to login into a service with credentials that have been reused between accounts and subsequently breached at one of them. This is why security experts go to great lengths to advise against such password reuse.
The official notification, which has been sent to all affected account holders, states that confirmation of the attacks was made on December 20. It goes on to say that PayPal has “no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.” Access to the impacted accounts was “eliminated for unauthorized third parties” on December 8.
What access did the attackers get to affected PayPal accounts?
While PayPal has no evidence of unauthorized transactions being made, the attackers did, it says, potentially have access to personal data, including “name, address, Social Security number, individual tax identification number, and/or date of birth.”
PayPal is offering affected customers two years of free access to identity monitoring services provided by Equifax.
Customers who have not received the notice of security incident from PayPal will not have been impacted by this particular concerted credential stuffing attack. However, if you are using login credentials that you also use elsewhere, you are advised to change to unique and strong passwords at all those services. A password manager, such as 1Password or BitWarden, can help make this a relatively painless exercise.
Don’t reuse passwords, do use two-factor authentication
Timothy Morris, the chief security advisor at Tanium, further advises users to enable two-factor authentication where available: ” Strong MFA includes the trifecta of something you know (id/password/secret), have (token, key) and are (biometrics). Dr. Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, is surprised “why MFA authentication is not enforced by default for such a sensitive service as PayPal.”
MORE FROM FORBESLastPass Password Vaults Stolen By Hackers-Change Your Master Password NowBy Davey Winder
“High-profile breaches must serve as a wake-up call for organizations large and small to implement a zero-trust architecture, enable MFA, and use strong and unique passwords,” Craig Lurey, chief technology officer, and co-founder at Keeper Security says.
Meanwhile, Jasson Casey, chief technology officer at Beyond Identity, goes even further and argues that “you can’t have effective security if you are still using passwords.” While accepting that PayPal is seemingly doing the best it can for the customers involved in this security incident by recommending password changes, Casey insists that “passwords – whether unique or complex – are fundamentally flawed.” Instead, Casey says, organizations should be moving to phishing-resistant credentials such as the FIDO Alliance standard blueprints. “The question is,” Casey concludes, “how many more credential-based attacks will it take before we see real change?”
