Credential stuffing attack on PayPal, what is known

20 January 20233 years babelfish

User laziness can cost you dearly: the same password used on multiple apps opens an infinite number of doors, as around 35,000 PayPal users have discovered despite themselves. Here are all the details

PayPal has announced that the payment platform was the victim of an account breach that exposed some personal data. This is not a brute force hackler gesture, but rather a sneaky penetration using the credential stuffing technique which therefore exploited the complicity, so to speak, of the victims themselves and their lack of attention to security.

CREDENTIAL STUFFING, WHAT IT IS (AND HOW TO DEFEND IT)

Credential stuffing attacks exploit the laziness and ingenuity of users that lead a good number of Internet users to use the same credentials to access multiple applications, sites and services.

They are usually based on username and password archives collected around the network, most often following massive data breaches. So, quite simply, having got his hands on that "treasure", the hacker on duty (generally an indefatigable bot ready to perform billions of attempts) checks whether the same key that has come to light in relation to a specific service (e.g. the work password) also opens other ports.

Of course, this kind of attack can easily be avoided by repeatedly changing passwords, using biometric data or with the double step that provides for unlocking via smartphone.

THE ATTACK ON PAYPAL

The PayPal credential stuffing would have involved around 35 thousand users and, according to what the service manager communicates, it would have occurred between 6 and 8 December 2022, blocked at the moment it was detected by the internal systems.

The 34,942 users involved were informed by email: according to the report, during the attack the hackers had access to the full names, dates of birth, postal addresses, social security numbers and tax identification numbers of the account holders . There would have been no breaches of the accounts involved. However, what was stolen, suitably cross-referenced, is enough to recreate false online identities or, with the help of software, go back to other passwords.

As is often the case following similar events, the company has also launched an internal investigation to find out how hackers gained access to accounts: an investigation that ended on December 20 last year which was limited to ascertaining that third parties unauthorized users have logged into accounts with valid credentials.

In the email sent to the affected users, the payment platform specifies that it was not a direct violation of its systems and there is no evidence that the credentials were obtained through PayPal violations.

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/attacco-credential-stuffing-paypal-cosa-sappiamo/ on Fri, 20 Jan 2023 15:12:23 +0000.