PayPal has been sending notifications to thousands of users to warn them of a data breach caused by access to their accounts through credential stuffing attacks. Explaining the attack more clearly, malicious actors have been testing username and password combinations obtained from other data leaks, and it is that there are many who end up reusing the same password in various services.
Carrying out attacks manually by obtaining credentials to test against various services would be cumbersome, so attackers often use an automated approach with bots running credential lists to fill out service access forms.
PayPal explains that the credential stuffing attack occurred between December 6 and 8, 2022 and that he took measures as soon as he detected it. However, the company did not stop there, but also carried out an internal investigation to find out how the attackers obtained the user credentials and the corresponding access to their accounts.
The payment intermediation company finished its investigation on December 20, 2022, concluding that unauthorized third parties managed to gain access with valid credentials. On the other hand, it has also stated that it has not detected any breach in its systems and has no evidence that the credentials were obtained from its databases.
The report published by PayPal regarding the data breach indicates that it affected a total of 34,942 users. During the two days of the attack, the malicious actors managed to gain access to data such as full names, dates of birth, mailing addresses, social security numbers, tax identification numbers of account holders, transaction history, credit or debit card details and PayPal billing information.
To end the attack, PayPal took the necessary measures to limit access by attackers and has carried out ex officio the reset of passwords of the accounts he was able to confirm were breached. However, it is shocking to see that, at least according to the company’s version, the attackers did not carry out any money transactions or were unable to do so. It is also not aware of any misuse of data accessed by malicious actors.
PayPal recommends using a strong, long password that combines alphanumeric characters and symbols and that is not reused (which can be helped by using a password manager), as well as advising enabling two-step authentication starting of the account settings. Users affected by the breach will receive a free two-year identity monitoring service from Equifax.
