PayPal Credential Stuffing Attack Affects Thousands
Table of Contents
- By Steven
- Jan 20, 2023
Credential stuffing occurs when one hack, usually a surprisingly small one, offers a hacker the ability to steal someone’s login credentials for one site, profile, or account and attempts to use it to gain access to other accounts in the same person’s name. According to Auth0, 65% of people use the same password across multiple – or sometimes all – of their accounts. Imagine using the same password for your Spotify account, Walmart account, bank account, and student loans. One of these is incredibly likely to get hacked, and it would be easy for a hacker to take that password and use it for numerous accounts.
How Did the Attack Occur?
Between December 6th and 8th, 2022, a hacker was able to access 35,000 individuals’ PayPal accounts using stolen credentials. An investigation was launched on the 20th of the same month and discovered the data breach and its magnitude. A review immediately began to ensure that it would take all possible precautions and to see what information may have been accessed. PayPal found that the hacker had acquired very sensitive information.
What Information Was Viewed or Stolen?
PayPal accounts usually contain social security numbers, addresses, names, birthdays, and tax identification numbers, so it’s safe to assume that these details were accessed in the beach. This can have detrimental effects on the victims, and, unfortunately, there isn’t a lot to do after the data is stolen besides monitoring your information. Luckily, PayPal is offering two years of free credit monitoring with Equifax.
How Did PayPal Admit to the Breach?
PayPal admitted to the breach by sending notifications to every affected individual. This couldn’t have been an easy task, as tens of thousands of individuals around the world were affected. This is a relatively small-scale breach in comparison to many of the breaches we write about; the largest breach in history was on Yahoo! and it affected 1.5 billion people. However, that does not make it any less important, especially considering how much information is contained in a PayPal account.
What Will Become of the Stolen Information?
If you’re one of our more avid readers, thank you! But more importantly, you may remember our articles on The North Face and Norton credential stuffing attacks. The first thing the hackers will most likely do is use your credentials for other accounts. That’s why every breach notification for a credential stuffing attack will tell you to change the password on any account with the same or a similar password.
What Should Affected Parties Do in the Aftermath of the Breach?
After any credential stuffing attack, the first thing to do is to change your password; make it harder and, if possible, weirder. Add uppercase and lowercase letters, numbers, symbols, or all of the above. Try taking a line from your favorite song and changing some of the letters to numbers, hashtags, or other symbols. This will make it easier for you to remember your password but will make it much, much harder for hackers to breach your accounts.