35,000 PayPal Accounts Hacked in Credential Stuffing Attack

The personal information of 35,000 PayPal users has been seized by hackers according to a security incident notification letter sent to thousands of affected account holders. 

The letter says the attack occurred between December 6 and 8 last year but was only confirmed two weeks later when following an investigation into the incident. 

“Unauthorised third parties were able to view, and potentially acquire, some personal information for certain PayPal users,” Paypal stated. It urged affected customers to “remain vigilant and carefully review your accounts for any suspicious activity.” 

The fintech giant admitted stolen data could include names, addresses, social security numbers, individual tax identification numbers and dates of birth of affected customers, but insisted there was no evidence of the data being misused for malicious activity. 

“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorised transactions on your account," it assured affected 

But Julia O’Toole, CEO of MyCena Security Solutions, warns that this should provide little comfort to the account holders targeted by the hackers. 

“The attackers can target these victims with phishing emails and identify theft scams and use those passwords again on other sites,” she told Infosecurity Magazine. 

A wake-up call to password recyclers

Investigators say the stolen data was obtained through credential stuffing. The attack involves actors using automated bots to “stuff” thousands of already compromised usernames and passwords from multiple websites into the login page of a target system. 

Credential stuffing attacks specifically target users that use the same password for multiple online accounts, a process referred to as “password recycling.”

Security experts have warned that enterprises must urge their users to their passwords regularly or at minimum ensure Multi-Factor Authentication (MFA) measures are in place to protect customers from falling victim to attacks. 

In PayPal’s case, none of these measures were in place. The payment platform advises users to activate MFA from the account settings menu but does no but does not currently enforce the security measure as a standard for all users. 

Even if your account got hacked or not, I would strongly suggest everyone to change their @PayPal passwords just to be sure. Think of it as a security masesure.#Cybersecurity #PayPal #Breach #StuffingAttack #Netsec https://t.co/uTwVLBdkfD

— Morten Larsen (@LarsenTweet) January 19, 2023

“It is at least surprising why MFA authentication is not enforced by default for such a sensitive service as PayPal,” Dr Ilia Kolochenko, Founder of ImmuniWeb and member of Europol Data Protection Experts Network said in response to the incident. 

“Modern MFA technologies cost almost nothing to implement and should be enabled by default by financial service providers as a foundational security control,” he explained. 

Experts note that credential-stuffing attacks can be avoided if MFA is enforced by an enterprise.  This is because the unauthorised parties would not have been able to access the account even with a valid username and password. 

"High-profile breaches must serve as a wake-up call for organisations large and small to implement a zero-trust architecture, enable MFA, and use strong and unique passwords," Craig Lurey, co-founder at Keeper Security told Forbes.

To read more about cyber attacks, visit our dedicated Business Continuity Page. 

PayPal said it had already reset the passwords of the affected accounts and implemented enhanced security controls to prevent unauthorised actors from obtaining personal information. 

It added that it would provide two years of free access to Equifax monitoring services to prevent hackers from using the stolen data for different purposes in the future. 

1.35 million PayPal users’ data in the hands of hackers

PayPal joins the long list of large corporations that have fallen victim to cyberattacks in the first few weeks of 2023. 

In the first week of January,  the email addresses, phone numbers and other identifying information of 200 million Twitter users were scraped by hackers and posted online.

Just a few days later, the UK’s national postal service, Royal Mail, was hit by a devastating ransomware attack that left its international export services powerless. 

And PayPal’s cybersecurity fiasco may not be over yet. Yesterday, Alon Gal, Co-founder of cybersecurity watchdog Hudson Rock said that as many as 1.35 million Paypal users’ data may be in the hands of hackers in a LinkedIn post.

The co-founder had previously notified Twitter that hackers had obtained private details linked to 400 million Twitter accounts days before the social media giant was struck by a huge data leak affecting 200 million users.