Another friendly PSA to update those passwords, especially if you use the same one for multiple accounts. Another breach has occurred and it appears that attackers are using known credentials used across multiple websites to get their hands on your details. This means that an innocent little login to a long-forgotten website can give bad actors access to more important things like your PayPal account.
According to Beeping computer (opens in new tab), 34,942 PayPal users have been affected by this latest credential stuffing attack on its systems. Credential stuffing is an automated approach that involves stuffing as many known logins into a website as possible, which is why password recycling is a problem.
Many websites don’t have the kind of security that, say, your bank or PayPal will use to protect your personal information. It makes sense: most people wouldn’t keep their valuables in a plastic safe, but you wouldn’t put your real safe’s PIN in there, either. Using the same password, especially in combination with the same login on multiple sites, just makes things easier for the bad guys.
PayPal found (opens in new tab) this attack took place in early December 2022 and after investigation was able to confirm the likelihood of using credential stuffing.
During the two days that the attack was going on, hackers had access to a variety of personal information, including full names, dates of birth, address, social security numbers and tax ID. They could also see PayPal transaction details, including credit card and bank information.
But the weird thing is that they didn’t do anything with this information. At least not yet. PayPal found no evidence that the attackers were attempting to transact, or anything other than the sounds of things. It’s uncertain if these were the efforts of someone just trying if they could, like the recent ones deferral from the TSA no-fly list (opens in new tab)or if we expected more nefarious actions to follow.
PayPal has changed passwords and notified affected users, along with two years of pro bono Equifax identity checks to keep an eye on things. The company recommends that everyone turn on two-factor authentication to help protect against these attacks in the future, and of course change and stop recycling your passwords (opens in new tab). Especially in places where you want to keep important things like your identity.