PayPal is one of the largest online payment processing companies in the world. The company was founded by Max Levchin, Peter Thiel, and Luke Nosek in 1998, with Elon Musk joining soon after. Since PayPal is a company that deals in money, it’s not a surprise to hear that a cyberattack has hit its users.
Estimated reading time: 2 minutes
PayPal informed their users about the credential-stuffing attack via a notification letter. “On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials,” the letter stated.
The company says unauthorized access to 35,000 user accounts was initiated between December 6th and 8th of 2022. The company believes the logins were obtained via phishing or other methods because it has not found any security breaches in its systems. Here’s what two security experts had to say about the attack.
“Bigger companies like PayPal have advanced logging and monitoring capabilities that can sometimes notice out of the ordinary access to accounts. It seems however that a lot of organizations just do not trust that their users use good enough passwords and send an email our SMS at every login from a new device. This does not lead to good user experience. The direction of authentication on the internet is encouraging with a handful of websites supporting FIDO2 users can login without using a password using passkeys. If passwordless authentication proliferates, attacks like this will disappear.”
Szilveszter Szebeni – CISO at Tresorit
“Based on our analysis about 39% breaches are caused due to stolen or default credentials. Users often use the same or passwords in multiple sites. We also use common guessable passwords. Users must avoid reusing passwords as well as common guessable ones. Companies should conduct regular assessment of stolen credentials and proactively warn users and also mandate 2 factor authentication.”
Bikash Barai – CEO and Co-founder, FireCompass
The attackers did access and potentially steal personal information including names, addresses, phone numbers, birth dates, tax IDs, and social security numbers. It will be interesting to see how impactful this credential-stuffing hack is.
What do you think of this? Please share your thoughts on any of the social media pages listed below. You can also comment on our MeWe page by joining the MeWe social network. Be sure to subscribe to our RUMBLE channel as well!