According to Bleeping Computer (opens in new tab), 34,942 PayPal users have been affected by this latest credential stuffing attack against their system. Credential stuffing is an automated method of stuffing a website with as many known login credentials as possible, which is why password recycling is a problem.
Many websites do not have the security that, for example, banks or PayPal employ to protect personal information. Most people do not store their valuables in plastic safes, but they also do not put the PINs of real safes in their safes. It is much easier for the bad guys if you use the same password, especially if you use the same login name for multiple sites.
PayPal discovered that this attack took place in early December 2022 (open in new tab) and upon investigation was able to confirm that credential stuffing may have been used.
During the two days the attack was running, hackers had access to all kinds of personal information, including full names, dates of birth, addresses, social security numbers, and taxpayer identification numbers. They were also able to view PayPal transaction details, including credit card and banking information.
What is a bit odd, however, is that they did nothing with this information. At least, not yet; PayPal has found no evidence that the attackers attempted to conduct transactions. Whether this was an effort to see if someone could simply do it, like the recently exposed TSA no-fly list (opens in new tab), or whether we should expect more nefarious behavior to follow is unclear.
PayPal has changed passwords, notified affected users, and offered two years of free Equifax identity monitoring to keep an eye on things. The company recommends enabling two-factor authentication to protect against such attacks in the future and, of course, changing and not reusing passwords (opens in new tab). Especially where you plan to keep something as important as your ID.
Comments