When login credentials are posted on the dark web after a data breach, it is usually a very short amount of time before they are being plugged into credential stuffing attacks. Despite copious warnings from security experts about not re-using credentials over the past decade, these attacks still work well enough for criminals to try them. A recent case involving some 35,000 PayPal accounts illustrates why these attacks remain common.
The accounts were compromised in December by a credential stuffing attack. The company says that it sees no evidence that money was moved out of PayPal accounts or that unauthorized charges were made, but it is not uncommon for attackers to simply verify that some portion of a credential collection still works and then sell these off to other threat actors who prepare more elaborate attacks.
High security, big-name targets still subject to credential stuffing attacks
Major platforms are able to implement some degree of defenses and scanning for credential stuffing attacks, but in the end avoiding them is mostly down to good password hygiene on the part of the end user. The breach of some 35,000 PayPal accounts in this way indicates that the message about not re-using login credentials is still not getting through to many.
PayPal accounts can be secured by text message or email-based two-factor authentication, but it is not on by default or required. If users absolutely must re-use logins, these methods can provide a layer of extra security that is far from failsafe but that would likely stop basic bot-based credential stuffing attacks. The platform also now has support for authenticator apps, which generates an added code for logins.
Though it might initially appear as if this is some sort of security failure for PayPal, companies can only be reasonably expected to do so much to curb credential stuffing attacks. The detection of the incident within two days and cutting off of access to the attackers before any funds could be withdrawn or charges could be racked up is about as good of an outcome as anyone could hope for once accounts were compromised, though the victims will still have to worry about some sensitive personal information being exposed.
No reported theft from breached PayPal accounts, but sensitive financial information may have been taken
PayPal says that the breach window was from December 6 to December 8, and that the company verified breaches of accounts on December 20. There is not yet any information about what credentials might have been used to breach the PayPal accounts, but it was almost certainly information that came from some prior data breach and was likely available on the dark web.
While the attackers may have just been testing for logins that still work in order to package them for resale, it is possible that they accessed sensitive information while inside the PayPal accounts. This could include home and billing addresses, full names and contact information, dates of birth, balances, and Social Security or employer identification numbers.