PayPal Credential Stuffing Attacks Renew Calls for MFA
An internal review confirmed that on December 20, 2022, unauthorized parties could use account holders’ login credentials to access their PayPal accounts. In response to what is being called a credential stuffing attack, PayPal warned affected customers to take steps to protect their personal information.
“No information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” the company said, and added that there was “no evidence that your login credentials were obtained from any PayPal systems.” PayPal also said the “unauthorized activity occurred between December 6, 2022 and December 8, 2022, when we eliminated access for unauthorized third parties.”
In that time period, “the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users,” the company wrote in a notification letter sent to just under 35,000 customers. PayPal also filed data breach notifications detailing the attacks.
Among the PII that could have been accessed were names, addresses, Social Security numbers, individual tax identification numbers and birthdates. In addition to investigating the incident, PayPal also took specific steps to prevent access to additional PII. “We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account,” the alert, posted by Bleeping Computer, said, and that users would be given two years of identity monitoring services from Equifax.
“This is a prevailing issue where users are using the same ID/password combinations for multiple sites and applications,” said Timothy Morris, chief security advisor at Tanium. “Credential stuffing is successful because many of those combinations are on the dark web from previous breaches.”
“Attackers are looking for high-value credentials and privileged accounts which allow the attackers access to everything and [allow them to] go anywhere within the network,” said Joseph Carson, chief security scientist and advisory CISO at Delinea. Carson explained that “with privileged access, attackers can cause serious damage, steal any data, hide their tracks and sell [the credentials] for a higher value to other cybercriminals who will abuse them.”
The information apparently “gleaned from this attack could be used for identity theft,” said Morris. “The thieves could also sell the information in underground forums to quickly monetize their plunder.”
The incident has called into question PayPal’s basic security provisions. “It is at least surprising why MFA authentication is not enforced by default for such a sensitive service as PayPal,” said Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network. Kolochenko noted that modern MFA technologies are cheap and “should be enabled by default by financial service providers as a foundational security control.”
And “any unusual activity, such as login from an unknown location or a new device should be rapidly reported to the user; the account may be temporarily suspended unless the user takes an action,” Kolochenko said.
While this latest in a string of security incidents does not mean the industry is “witnessing the death of password technology …what we are witnessing (again and again) is the death of the naïveté and wishful thinking that surrounds any technology built on the premise that a single authentication source is a good idea,” said Ted Miracco, CEO at Approov.
“We have rushed to embrace SSO technologies without fully considering the obvious major disadvantage: It constitutes a single point of failure, as the compromised password lets the intruder into all areas open to the password owner. In the case of PayPal, the consequences might be quite high for those that built their trust into these systems without additional safeguards like 2FA or hardware authentication,” Miracco said.
Trusted vendors like PayPal “need to set a higher bar here,” said Baber Amin, COO at Veridium.
“Vendors should implement processes to monitor and identify anomalous behavior, like the vast number of login failures that result from a credential stuffing attack. There are multiple tools and services that can do this now,” said Amin, explaining that it was unacceptable for PayPal “to take multiple days” to discover the incident.
Companies also should “actively encourage customers to use two-factor authentication, and not just provide it as an option,” as well as “eliminate passwords from their user-facing systems by fast-tracking FIDO passkey adoption,” he added.
“When employees are responsible for creating passwords and tend to reuse existing passwords or select similar passwords, then credential stuffing will continue to be successful,” said Carson. “Organizations can help reduce the risks of credential attacks by moving passwords into the background and rewarding employees with a password manager or privileged access management solution that will help automate passwords. At the same time, it will help to reduce cybersecurity fatigue.”
In addition to reminding organizations to implement zero-trust, enable MFA and use strong, unique passwords, “it’s equally important to train employees to identify suspicious phishing emails or smishing text messages that seek to install malware into critical systems, prevent user access and steal sensitive data,” said Craig Lurey, CTO and co-founder at Keeper Security, whose “research shows the average U.S. business experiences 42 cyberattacks per year, three of them successful.”
And users have to take an active role in protecting their information and assets. “Affected users should monitor their credit reports and use the fraud alert services provided by the major credit reporting services. Also, they should enable strong multi-factor authentication (MFA) for all systems,” said Morris.
