Following confirmed reports that many thousands of PayPal customer accounts were accessed by a criminal hacker, a number of readers have asked if this security incident was a result of PayPal itself being compromised.
Was PayPal itself hacked in December?
The answer is an emphatic no; hackers did not breach PayPal. The irony here is that it will have been breaches at other services that were behind the large-scale credential stuffing attack, which led to nearly 35,000 PayPal customer accounts being accessed by an unauthorized third-party criminal actor.
“Other breaches led to a large population’s passwords in use elsewhere being stolen, and because people often reuse passwords and have done so for a long time,” Sam Curry, the chief security officer at Cybereason, says, “the hackers were able to brute slam PayPal accounts with these until they found 35,000 matches.” From a security perspective, Curry went on to suggest that the interesting thing here is how many authentications failed to access user accounts. “In other words,” Curry says, “what was the ratio of success-to-failure, and assuming that that ratio is anomalous, how long did PayPal take to detect and protect against it?” Curry sees the PayPal credential stuffing security incident as a timely reminder to other companies with valuable data or accounts protected by passwords alone. “When PayPal forts up,” he concludes, “the hackers will try their ill-gotten passwords on your websites too. Are you ready?”
It should be noted that, according to an official security incident notification sent out to affected customers, PayPal has “no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.”
What is credential stuffing?
With so many online accounts and services requiring a password to access, the average user has ended up in something of a password overload situation. By way of example, I have almost 300 individual accounts protected by a login password. I don’t have an elephant’s memory, but I do have a password manager. Not only does this mean I don’t have to remember all those passwords, but I also don’t have to know what they are. And what they are is long, random, and complex—and protected by both the security measures of the password manager I use and, where possible, a second authentication factor such as a one-time code or hardware key. Although there have been reports of security issues affecting some password managers, as long as you use a strong and unique master password they remain a safe way to deal with login security across multiple accounts.
For many, however, the solution to password fatigue is a lot simpler and a lot less secure: password reuse. When passwords are shared between accounts, the opportunity for credential stuffing occurs. An automated process of trying lots of logins from previous breaches to access other high-value accounts. As Timothy Morris, the chief security advisor at Tanium, explains, “this is a prevailing issue where users are using the same id/password combinations for multiple sites and applications. Credential stuffing is successful because many of those combinations are on the dark web from previous breaches.”
Affected PayPal customers need to remain on high alert
Jake Moore, the global cyber security advisor at ESET, has further advice for concerned PayPal customers among the 34,942 account holders impacted here. “The owners of the affected accounts should by now have been notified, and it would be advisable for those people to remain on high alert due to the amount of personal data that may have been accessed in this unfortunately simple breach. Credential stuffing is an automated process where a threat actor uses reused log-on credentials stolen from subsequent password breaches on another account. It remains one of the easiest of attack vectors for cybercriminals, but users can easily fight back and protect their accounts in just a few steps. Everyone by now should be using unique, strong passwords for all of their online accounts, particularly those connected to finances. Entry should also be bolstered by enabling multi-factor authentication. At best, this should be connected via a security key or authenticator app rather than with SMS. It is worrying that PayPal does not currently enforce multi-factor authentication at login as default which would protect accounts more fully and virtually stop credential stuffing attacks altogether.”
I have reached out to PayPal for comment regarding why account two-factor authentication isn’t mandatory.