Pierluigi Paganini January 20, 2023

PayPal is sending out data breach notifications to thousands of users because their accounts were compromised through credential stuffing attacks.

PayPal announced that 34942 customers’ accounts have been compromised between December 6 and December 8. The company added that the unauthorized accessed were the result of credential stuffing attacks and that its systems were not breached.

The company is sending out breach notification letters to the impacted customers, threat actors had access to names, addresses, Social Security Numbers, individual tax identification numbers, dates of birth for PayPal users, and of course transaction histories.

“On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials. We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems.” reads the letter sent by the company to the affected customers. “Based on PayPal’s investigation to date, we believe that this unauthorized activity occurred between December 6, 2022, and December 8, 2022, when we eliminated access for unauthorized third parties. During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users.”

The company added that has not delayed the notification as a result of any law enforcement investigation.

What is credential stuffing?

“Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both. 

PayPal reset the passwords of the affected accounts and will force impacted users to create new password the next time they log in to their account. 

The financial technology company is offering two years of Equifax identity monitoring services to the impacted customers, that include fraud alerts and up to $1 million of identity theft insurance coverage for a specific list of out-of-pocket expenses resulting from identity theft.

Alon Gal, Ceo at Hudson Rock warns that over one million of PayPal credentials are available in the cybercrime underground, explaining that they were obtained using info-stealer infections.

“tbh 35,000 is peanuts, Hudson Rock info-stealers data indicates they have over 1,350,000 users credentials that are in the hands of hackers, with more getting added every day (not to mention some compromised PayPal employees as well).” said Gal. “Database leaks credentials stuffing is so passé, today hackers use credentials from compromised computers.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, credential stuffing)