A PayPal security issue notification from Wednesday, Jan. 18, states that between December 6 and 8, 2022, hackers gained unauthorized access to the accounts of thousands of its users.
BleepingComputer reported that the estimated number of accounts compromised by malicious actors via a credential-stuffing assault is 34,942.
Credential-stuffing Account
Users' accounts across all services are vulnerable to a hack if they use the same password for each platform.
According to Forbes, when a malicious actor employs an automated procedure to attempt to log into a service using compromised credentials from one account, they are launching a credential-stuffing attack. Therefore, experts strongly discourage using the same password for several accounts.
Confirmation of the cyberattacks was made on December 20, 2022 according to the official statement delivered to all account holders. There is further assurance that PayPal has no evidence indicating that any of their personal information was exploited due to this event or that there are any illegal transactions on their account.
As of December 8, 2022, unauthorized third parties were eliminated for the affected accounts.
Compromised Data
PayPal claims that attackers may have gained access to names, home addresses, Social Security numbers, individual tax identification numbers, and/or birthdates. On the other hand, the firm has found no indication of any fraudulent activity.
Customers who have had their PayPal accounts compromised may get free identity monitoring from Equifax for two years.
The recent coordinated credential stuffing hack did not affect PayPal customers who did not get the security issue notification.
However, if you are logging in with the same credentials across many services, you should immediately change to different and secure passwords for each. If you use a password organizer like 1Password or Bitwarden, this will be a much easier process.
Related Story : MailChimp Reports a Data Breach Incident
Experts' Notion
Tanium's chief security adviser, Timothy Morris, recommends that users must switch on multi-factor authentication (MFA) whenever possible.
A strong MFA requires three factors: what you know (identification), what you have (token, key), and who you are (biometrics).
ImmuniWeb creator and Europol Data Protection Experts Network participant Dr. Ilia Kolochenko questions why MFA is not imposed by default for such a critical platform as PayPal.
Craig Lurey, chief technology officer and co-founder of Keeper Security, thinks that high-profile hacks should serve as a wake-up call for businesses of all sizes to establish a zero-trust infrastructure, enable MFA, and require strong and unique passwords.
Moreover, Beyond Identity's chief technical officer, Jasson Casey, claims that people cannot have adequate security if they still utilize passwords.
Even while PayPal seems to be doing all it can for affected users by proposing a password change, Casey believes that passwords are inherently broken, however unique or complex they are. Casey argues that businesses should switch to FIDO Alliance standards-based credentials immune to phishing attacks.
The challenge, as Casey puts it, is "how many more credential-based attacks will it take before we see real change?"