PayPal Holdings Inc. has disclosed a data breach that involved the theft of information from 35,000 customers in a credential stuffing attack.
In a filing with the Office of the Maine Attorney General, PayPal disclosed that the breach occurred between Dec. 6 and Dec. 8 and was subsequently detected on Dec. 20. Details believed to have been accessed include name, address, Social Security number, tax identification numbers and dates of birth.
Along with launching an investigation, PayPal reset the passwords of all affected accounts and implemented enhanced security controls. Affected users are also being offered two years of free identity monitoring services from Equifax Inc.
A credential attack is where hackers use previously stolen user information from other sites to access other accounts held by those who have had their account details stolen. The attack method relies on users reusing passwords on different sites, a dangerous thing to do in the age of perpetual data breaches but one that is all too common.
“Although many PayPal accounts were affected, the attack was not the result of PayPal’s lack of security,” Paul Bischoff, privacy advocate with tech comparison site Comparitech Ltd. told SiliconANGLE. “Instead, it’s the result of PayPal users re-using the same password on PayPal and other websites.”
Dr. Ilia Kolochenko, founder of IT security company ImmuniWeb SA and member of the Europol Data Protection Experts Network, commented that “it is at least surprising why multi-factor authentication is not enforced by default for such a sensitive service as PayPal.”
“Modern MFA technologies cost almost nothing to implement and should be enabled by default by financial service providers as a foundational security control,” Kolochenko added. “In the meantime, all users should urgently enable MFA everywhere, especially in view of the recent LastPass data breach.”
The need for improved security was emphasized by Craig Lurey, chief technology officer and co-founder at password management company Keeper Security Inc., who argues that to prevent credential stuffing attacks, cloud-based platforms must implement more advanced device verification systems so that attackers cannot brute force test passwords.
“High-profile breaches must serve as a wake-up call for organizations large and small to implement a zero-trust architecture, enable MFA and use strong and unique passwords,” Lurey explained. “It’s equally important to train employees how to identify suspicious phishing emails or smishing text messages that seek to install malware into critical systems, prevent user access and steal sensitive data.