Another day, another major security breach. Following in the footsteps of Chirping And ExperianPayPal began notifying nearly 35,000 users on Thursday that their accounts were hacked between December 6 and 8. What is different here is the method used by the attackers to hack into the accounts. PayPal itself has not been hacked. Instead, the bad guys used an attack known as credential stuffing, exploiting previously leaked login information that people repurposed for their PayPal accounts.
“During the two days, the hackers gained access to the account holders’ full names, birth dates, postal addresses, social security numbers, and tax identification numbers,” Computer that plays relationships. “Transaction history, linked credit or debit card details and PayPal billing information can also be accessed on PayPal accounts.”
This is some seriously personal information to leak. PayPal halted the intrusion within two days, reset passwords for affected users, and says no unauthorized transactions were attempted. It also offers interested users two free years of credit monitoring from Equifax, for Bleeping Computer.
But this attack was not to happen. Again: PayPal was not hacked and none of these accounts would have been compromised if their owners had followed some basic online safety practices.
dashlane is a stellar and easy to use password manager
MSRP: $36 Best Prices Today:
Don’t reuse passwords between accounts, especially those that contain ultra-sensitive private or banking information (like PayPal). A good password manager makes it easy, and free options are available. Enabling two-factor authentication would thwart these credential stuffing attacks as well. PayPal offers the security option in the Account Settings menu. Our guide to set up two-factor authentication the right way can help if you are not familiar with the term.
Please do both now if you haven’t already. They are the first two recommendations in 5 simple activities to boost your confidence for a reason.
PayPal may not have been hacked, but even here it’s not entirely without fault. Baber Amin, the COO of Veridium, sent the following thoughts via email:
“As trusted providers, PayPal and others need to set the bar higher here. Suppliers should implement:
Processes to monitor and identify anomalous behavior, such as the large number of failed logins due to a credential stuffing attack. There are several tools and services that can do this now. For PayPal to take multiple days to detect this should not be acceptable.
Actively encourage customers to use two-factor authentication, and don’t just provide it as an option.
Actively purge passwords from their user-facing systems by rapidly monitoring adoption of Fido Passkey.
That last part is a bit selfish, since Veridium is a cybersecurity company focused on passwordless authentication, but it’s good advice for PayPal nonetheless. We have seen big tech companies like Apple, Google and Microsoft recently committed to a passwordless future.
Until we reach that point, however, protecting your passwords and accounts remains paramount, as this PayPal breach drives home. Get your security ducks in line and stay safe out there, folks.