PayPal Accounts Succumb to Credential Stuffing AttackAbout 35,000 Affected by 2-Day Attack in December, Says Online Payments Giant
Online payment giant PayPal says hackers in December successfully ran an automated attack using previously breached username and password combinations to gain access to the accounts of about 35,000 Americans.
The San Jose, California-based company revealed the attack in notification letters being sent to 34,942 individuals. The attack, known as credential stuffing, transpired between Dec. 6, 2022, and Dec. 8, 2022, and exposed data including names, addresses and Social Security numbers. PayPal says it has not detected unauthorized transactions emanating from affected accounts.
The company is offering two years of free identity monitoring service from Equifax to affected users. In a statement sent the day after this article published, a PayPal spokesperson told Information Security Media Group that the incident "affected a small number of PayPal customer accounts" and stressed that hackers did not access financial information. "We sincerely apologize for any inconvenience this may have caused," the spokesperson said.*
In the arsenal of hacking methods available to attackers, credential stuffing is neither particularly sophisticated nor successful. Some say the likelihood of pairing a previously breached username with a password and unlocking another account is less than 1%.
Credential stuffing nonetheless persists, an inevitable consequence of massive breaches containing credentials stored in plain text or protected by hashing algorithms susceptible to reversal.
A 2021 analysis of credential stuffing attacks by cybersecurity firm F5 concluded that the known number of attacks is rising but the annual volume of spilled credentials is going down. The rise in reported events could be a function of improved detection, the report said.
Security experts consistently advise individuals to lessen their online exposure by using strong and unique passwords for each account and to turn on multifactor authentication wherever possible. Given the difficulty of remembering long passwords not based on a pattern - passwords with a combination of random alphanumeric characters - that advice comes paired with recommendation to use a password manager. The National Institute of Standards of Technology says password should be at least eight characters long, although other cybersecurity experts suggest a length of between 11 and 15 characters.
Password managers aren't necessarily hacker-proof, but the combination of a password manager storing complex and unique passwords for each account that's protected by a strong master password plus multifactor authentication for access remains the industry standard for security, far outstripping a typical user's ability to secure accounts.
*Update Jan. 20, 2023 18:33 UTC: Adds comment from PayPal spokesperson.