PayPal Accounts Accessed by Unauthorized Third Parties in Extended Attack
Following confirmed reports that several thousand PayPal customer accounts were accessed by a hacker, a number of readers have asked if this security incident was the result of PayPal itself being compromised.
Was PayPal hacked in December?
The answer is a definite no; hackers did not breach PayPal. The irony here is that it was breaches of other services that were behind the large-scale credential stuffing attack, which led to nearly 35,000 accounts being accessed. PayPal customers to an unauthorized third party criminal actor.
“Other breaches have led to passwords being stolen from a large population used elsewhere, and because people often reuse passwords and have done so for a long time,” said Sam Curry, chief security officer at Cybereason. , “Hackers were able to brutalize PayPal accounts with these until they found 35,000 matches.” From a security perspective, Curry went on to suggest that the interesting thing here is the number of authentications that failed to gain access to user accounts. “In other words,” Curry says, “what was the pass/fail ratio, and assuming that ratio was abnormal, how long did PayPal take to detect it and protect against it?” Curry views the PayPal credential stuffing security incident as a timely reminder to other companies with valuable data or accounts protected only by passwords. “When PayPal gets stronger,” he concludes, “hackers will also try their ill-gotten passwords on your websites. Are you ready?”
It should be noted that, according to an official security incident notification sent to affected customers, PayPal has “no information to suggest that any of your personal information has been misused as a result of this incident, or that there are unauthorized transactions on your account.”
What is credential stuffing?
With so many online accounts and services requiring a password to access them, the average user has found themselves in a bit of a password overload situation. For example, I have nearly 300 individual accounts protected by a login password. I don’t have the memory of an elephant, but I have a password manager. Not only does that mean I don’t have to remember all those passwords, but I also don’t have to know what they are. And what they are are long, random and complex – and protected both by the security measures of the password manager I use and, if possible, by a second authentication factor such as a code one-time use or a hardware key. Although there have been reports of security issues affecting some password managers, as long as you use a strong, unique master password, they are still a safe way to manage login security across multiple accounts.
For many, however, the solution to password fatigue is much simpler and much less secure: password reuse. When passwords are shared between accounts, the possibility of credential stuffing occurs. An automated process of trying many logins from previous breaches to gain access to other high-value accounts. As Timothy Morris, Chief Security Advisor at Tanium, explains, “This is a prevalent problem where users use the same username/password combinations for multiple sites and applications. identification succeeds because many of these combinations are found on the dark web from prior breaches.”
Affected PayPal customers should remain on high alert
Jake Moore, Global Cybersecurity Advisor at ESET, has further advice for affected PayPal customers among the 34,942 affected account holders here. “The owners of the affected accounts should now have been notified, and it would be desirable for these individuals to remain on high alert due to the amount of personal data that may have been accessed during this unfortunately simple breach. Credential stuffing is an automated process by which a malicious actor uses stolen reused login credentials in subsequent password breaches on another account.It remains one of the easiest attack vectors for cybercriminals, but users can easily fight back and protect their accounts in just a few steps. should now use unique and strong passwords for all their online accounts, especially those related to finance. Entry should also be strengthened by enabling the multi-factor authentication. At best, this should be connected via a security key or an app authentication rather than with SMS. Worryingly, PayPal currently does not enforce multi-factor authentication at login by default, which would protect accounts more completely and virtually. completely stop credential stuffing attacks.”
I contacted PayPal to find out why two-factor authentication is not required.