Another day, another major security breach. Following in the footstep of Twitter and Experian, on Thursday PayPal began notifying nearly 35,000 users that their accounts were breached between December 6 and 8. What’s different here is the method attackers used to crack the accounts. PayPal itself wasn’t hacked. Instead, the baddies used an attack known as credential stuffing—leveraging previously leaked login information that people reused for their PayPal accounts.
“During the two days, hackers had access to account holders’ full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers,” Bleeping Computer reports. “Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.”
That’s some seriously personal information to leak. PayPal halted the intrusion within two days, reset the passwords for affected users, and says no unauthorized transactions were attempted. It’s also giving affected users two free years of credit monitoring from Equifax, per Bleeping Computer.
But this attack didn’t need to happen. Again: PayPal wasn’t hacked, and none of these accounts would have been compromised if their owners followed some fundamental online security practices.
Don’t reuse passwords across accounts, especially ones that hold ultra-sensitive private or banking information (like PayPal). A good password manager makes that easy, and free options are available. Having two-factor authentication enabled also would stymie these credential-stuffing attacks. PayPal offers the security option under its Account Settings menu. Our guide to setting up two-factor authentication the right way can help if you’re unfamiliar with the term.
Please do both now if you aren’t already. They’re the first two pieces of advice in 5 easy tasks to supercharge your security for a reason.
PayPal might not have been hacked, but it isn’t completely without blame here either. Baber Amin, the COO of Veridium, sent the following thoughts over email:
“As trusted vendors, PayPal and others need to set a higher bar here. Vendors should implement:
Processes to monitor and identify anomalous behavior, like the vast number of login failures from a credential stuffing attack. There are multiple tools and services that can do this now. For PayPal to take multiple days to catch this should not be acceptable.
Actively encourage customers to use two-factor authentication, and not just provide it as an option.
Actively eliminate passwords from their user-facing systems by fast tracking Fido Passkey adoption.”
The last part is a bit self-serving, as Veridium is a cybersecurity firm focused on passwordless authentication, but it’s still good advice for PayPal. We’ve seen major tech companies like Apple, Google, and Microsoft recently commit to passwordless futures.
Until we reach that point, however, protecting your passwords and accounts remains critical, as this PayPal breach drives home. Get your security ducks in a row and stay safe out there, folks.