Nearly 35,000 PayPal user accounts fell victim to a recent credential-stuffing attack that exposed personal data likely to be used to fuel additional, follow-on attacks.
PayPal submitted a breach disclosure that revealed that the attack began on Dec. 6, 2022 and continued until it was discovered on Dec. 20, 2002. As a result, the names, addresses, Social Security numbers, tax identification numbers, and/or dates of birth for 34,942 users were exposed.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” PayPal explained in a letter sent to affected users. “There is also no evidence that your login credentials were obtained from any PayPal systems.”
PayPal added that once the attack was discovered, account passwords were reset, and additional security controls were put in place. The payment platform is offering Equifax identity theft monitoring for victims.
Stolen Credential Ecosystem
The credential-stuffing attack on PayPal was likely a way for threat actors to validate username and passwords they had already obtained; now that they’ve been checked against breached PayPal accounts, those verified credentials will be sold to another threat actor, according to Jason Kent, hacker in residence with Cequence Security.
“The value in the list is that it is verified,” Kent said in a statement provided to Dark Reading. “My guess is the usernames and passwords were sourced by some other breach that pointed to the possibility of the accounts having PayPal access.”
Password Reuse the True Culprit
Even the strongest, most complex passwords can’t keep data secure if they’re reused across accounts. The PayPal accounts might have been protected in this case if they’d had unique passwords, noted Erich Kron, security awareness advocate at KnowBe4.
“This is what allows credential-stuffing attacks to be so successful,” Kron said in a statement about the incident. “Bad actors will take credentials scavenged from other data breaches and attempt to use them on other likely services such as banks, online shopping sites, social media, and in this case, online payment sites.”
While a password manager isn’t a “silver bullet,” Kron added, it’s an important added layer of protection against credential-stuffing attacks like that on PayPal.
“Remembering all of these passwords can be nearly impossible; however, through the use of password managers which can generate and store completely unique passwords, this can be achieved without a significant amount of effort,” Kron said. “In addition, the application of multi-factor authentication can be very helpful in these cases of account takeovers.”