PayPal says crooks poked around 35,000 accounts in credential stuffing attack

The personal information of 35,000 PayPal users was exposed in December, according to a notification letter sent to the online payment company's customers this week.

PayPal attributed this privacy breach to "unauthorized parties," who accessed accounts using customer login credentials. That is to say, whoever got into the accounts had found out or guessed their victims' usernames and passwords, possibly by taking the creds from another site where people have reused the same login details.

This is why it's important to use a unique password per site or app you use.

Information submitted to the Attorney General the US state of Maine revealed this credential-stuffing attack affected 34,942 customers on December 6.

The exposed information included customers' names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth. 

"We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account," the notification letter [PDF] said. "There is also no evidence that your login credentials were obtained from any PayPal systems."

Upon discovering the raid on accounts later in the month, PayPal said it "promptly" launched an investigation and took steps to prevent the crooks from stealing additional customer information — like bank account info, we would assume. Additionally, the payment company reset passwords belonging to affected PayPal accounts, and "implemented enhanced security controls." 

PayPal did not inform law enforcement about the security snafu, according to the notification.

The financial goliath did not address The Register's questions on, among other things, why it didn't involve the cops and what are some of the enhanced security measures it has implemented since discovering the attack. Instead a spinner told us:

PayPal is giving affected customers two years of free Equifax services, although the credit monitoring firm doesn't have the best track record when it comes to protecting customer data, either.

In 2017, Equifax was compromised in a cyberattack that the company attributed to the Chinese military in which the attackers stole personal information belonging to about 146.6 million people in the US, Canada, and the UK.

This latest snafu also happened a couple months after the PayPal implemented added passkeys for passwordless login to accounts across Apple devices in a move to provide customers with a more secure authentication method compared to passwords. 

• PayPal ditches passwords, at least on Apple devices
• Mailchimp 'fesses up to second digital burglary in five months
• Ransomware attack severs 1,000 ships from their on-shore servers
• For password protection, dump LastPass for open source Bitwarden

According to Microsoft, 579 attacks involving passwords occur every second, or about 18 billion a year. Many of them are successful, mainly because people have a tendency to pick poor passwords or reuse them across multiple accounts.

Multi-factor authentication could have prevented this and similar credential-stuffing attacks, according to Timothy Morris, chief security advisor at Tanium.

"This is a prevailing issue where users are using the same id/password combinations for multiple sites and applications," he told The Register, adding that info stolen from PayPal customers could be used for identity theft or sold on hacking forums. 

"Credential stuffing is successful because many of those combinations are on the dark web from previous breaches," Morris said. ®