According to a PayPal Security Incident Notice dated January 18, attackers gained unauthorized access to the accounts of thousands of users between December 6 and December 8, 2022. being 34,942.
What is a credential stuffing attack?
A credential stuffing attack occurs when a threat actor uses an automated process to attempt to log into a service with credentials that have been reused between accounts and subsequently breached on one of them. them. This is why security experts go to great lengths to advise against such reuse of passwords.
The official notification, which has been sent to all affected account holders, states that confirmation of the attacks was made on December 20. She goes on to say that PayPal has “no information to suggest that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.” Access to impacted accounts was “removed for unauthorized third parties” on December 8.
What access did the attackers gain to the affected PayPal accounts?
Although PayPal has no evidence of unauthorized transactions, the attackers potentially gained access to personal data, including “name, address, social security number, individual tax identification number, and/or date of birth.”
PayPal is offering affected customers two years of free access to identity monitoring services provided by Equifax.
Customers who did not receive PayPal’s Security Incident Notice will not have been affected by this particular concerted credential stuffing attack. However, if you use login credentials that you also use elsewhere, you are advised to switch to unique and strong passwords for all such services. A password manager, such as 1Password or BitWarden, can help make this exercise relatively painless.
Do not reuse passwords, use two-factor authentication
Timothy Morris, Chief Security Advisor at Tanium, further advises users to enable two-factor authentication when available: “Strong MFA includes the trifecta of something you know (login/password password/secret), that you have (token, key) and that you are (biometric data). Dr Ilia Kolochenko, founder of ImmuniWeb and member of Europol’s data protection that “MFA authentication is not applied by default for a service as sensitive as PayPal”.
“Massive breaches should serve as a wake-up call for businesses large and small to implement a zero-trust architecture, enable MFA, and use strong, unique passwords,” said Craig Lurey, director of technology and co-founder of Keeper. says security.
Meanwhile Jasson Casey, Chief Technology Officer at Beyond Identity, goes one step further and says that “you can’t have effective security if you’re always using passwords.” While agreeing that PayPal is apparently doing its best for customers involved in this security incident by recommending password changes, Casey insists that “passwords – whether unique or complex – are fundamentally defective”. Instead, Casey says, organizations should adopt phishing-resistant credentials such as the standard FIDO Alliance plans. “The question is,” Casey concludes, “how many more credential-based attacks will it take before we see real change?”