PayPal user data compromised in credential-stuffing incident.
N2K logoJan 20, 2023

PayPal disclosed a credential stuffing incident Wednesday impacting thousands of user accounts in early December 2022.

PayPal user data compromised in credential-stuffing incident.

On January 18, PayPal said in a security incident notice that unauthorized parties accessed thousands of user accounts between December 6 and 8 of last year in a credential stuffing attack.

Password reuse may be PayPal victims’ downfall.

The credential stuffing attack, Bleeping Computer explains, works by utilizing a bot that attempts various user credentials sourced in other leaks to access accounts on other sites. So, it follows that those reusing passwords across accounts with shared usernames and emails, or “password recycling,” would be most likely to fall victim to these attacks. Forbes writes that this incident was reported as of yesterday to have given threat actors access to 34,942 PayPal accounts. In a statement to EcommerceBytes, PayPal asserts that no financial information was accessed and payment systems were not affected, and reports that they are reaching out to those impacted:

“We have contacted affected customers directly to provide guidance on this matter to help them further protect their information. The security and privacy of our customers’ account information remains a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused.”

Expert commentary on the implications of the PayPal breach, and best practices for affected users moving forward.

Chris Hauk, consumer privacy champion at Pixel Privacy, references the importance of unique passwords:

“This breach can be linked to password reuse. Users that use the same password on multiple accounts run the risk of having their accounts breached, as bad actors use the login info retrieved in other data breaches to try credential stuffing attacks against other accounts that are held by the targeted victim. This can be easily prevented by users making sure they use a unique password on all of their accounts.”

Paul Bischoff, privacy advocate with Comparitech, cites the attack to users that share passwords across accounts, and advises best practices for users:

“Although many PayPal accounts were affected, the attack was not the result of PayPal's lack of security. Instead, it's the result of PayPal users re-using the same password on PayPal and other websites. If you use the same password on multiple accounts and one of them is compromised, then all of them can be compromised. In a credential stuffing attack, attackers use bots to attempt thousands of logins within seconds. PayPal is one of the most frequently impersonated companies in phishing emails and other scam attempts. Always ensure you're logging into the real PayPal website. Inspect the URL for spelling errors and never click on links or attachments in unsolicited emails. Affected users should keep an eye on their credit reports and take advantage of the credit monitoring being offered.”

Gil Dabah, co-founder and CEO of Piiano, cites two lessons from this incident; the importance of enabling 2FA, and no password reuse across accounts:

“This type of breach demonstrates the importance for users to enable 2FA (two-factor authentication) AND not reuse passwords. This would have been avoided if PayPal had enforced the utilization of 2FA for all of its users. Although 2FA is less convenient for users since they need to approve their login using their mobile phone, it is highly recommended to use it, especially when a logged-in user can perform financial transactions.” 

Dr. Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, notes the abnormality of a lack of enforced implementation of MFA for PayPal:

“It is at least surprising why MFA authentication is not enforced by default for such a sensitive service as PayPal. Moreover, any unusual activity, such as login from an unknown location or new device should be rapidly reported to the user and the account may be temporarily suspended unless the user takes an action.

"Modern MFA technologies cost almost nothing to implement and should be enabled by default by financial service providers as a foundational security control. In the meantime, all users should urgently enable MFA everywhere, especially in view of the recent LastPass data breach.”

Erich Kron, security awareness advocate at KnowBe4, commented on the issue of password reuse, and the ease that provides threat actors in credential-stuffing attacks:

“While people often understand that having strong, complex passwords is important to their security, they often don't understand the risks related to reusing even the strongest passwords across multiple services. Cybercriminals on the other hand, understand how likely it is for people to reuse passwords. This is what allows credential stuffing attacks to be so successful. Bad actors will take credentials scavenged from other data breaches and attempt to use them on other likely services such as banks, online shopping sites, social media, and in this case, online payment sites.

“By using automated tools to parse previously compiled lists of breached usernames and passwords, cyber criminals can attack with thousands, or even millions of attempts with very little effort on their part. To protect against these sorts of attacks, it is important for people to use different, but still strong and complex passwords on every service. Remembering all of these passwords can be nearly impossible, however through the use of password managers which can generate and store completely unique passwords, this can be achieved without a significant amount of effort. In addition, the application of Multi Factor Authentication (MFA) can be very helpful in these cases of account takeovers. While this is not a silver bullet against these attacks and does not replace the need for unique complex passwords, it can significantly improve security when used together.”

Matt Rider, Vice President, Sales Engineering at Exabeam, gives kudos to PayPal for quickly addressing the situation, and notes that many SOCs struggle with detection of credential-based attacks:

“All indications are that PayPal got their arms around this well and should be applauded for doing so.  This is likely the result of good security education within the organization, established visibility, and effective technical capabilities.  These factors are the keys to identifying and responding to compromised credentials attacks.

"The sad fact is that many security operation centers (SOCs) still fail to detect credential-based attacks. A lack of visibility into credential misuse is far more common, which makes PayPal’s efforts here a rare exception to the norm.  Organizations generally struggle to spot attackers moving laterally around their networks. 

"The most effective detective capability is the development of a baseline for normal employee behavior, which can specifically assist security teams with identifying the use of compromised credentials for initial access and later maintaining network access.  If you know what normal behavior looks like first, abnormalities are far easier to spot quickly.”

Jason Kent, Hacker in Residence at Cequence Security, says he sees this as a verification attack, and credits PayPal for a quick response:

“To me, this was a verification attack. Account verification attacks occur when an attacker attempts to find out the valid username and password combinations. These attacks look like credential stuffing attacks but their goal is to generate a list of valid usernames and passwords to sell onward. 

"The value in the list is that it is verified. My guess is the usernames and passwords were sourced by some other breach that pointed to the possibility of the accounts having PayPal access.

"If this is the case PayPal did a good job of impacting the attacker here in that now all of these accounts are reset and they won't be able to harm the PayPal account further. However, the PII gained is a concern. Complete PII packages are worth about $10 according to the check I got for the Equifax breach, this means that an attacker was just set back for $34k+ in revenue as the accounts are invalid on the platform and are eligible for credit monitoring."