Mobile phone on computer keyboard with the Paypal app showing credential stuffing attack on PayPal accounts

Credential Stuffing Attack Impacts About 35,000 PayPal Accounts, Company Says No Unauthorized Transactions Detected

Though it did not suffer a breach, PayPal is reporting that a massive credential stuffing attack appears to have yielded access to about 35,000 accounts.

The amount is a relative fraction of PayPal’s userbase, and the accounts in question were likely re-using credentials that were exposed in some other data breach. PayPal says that it has contacted those that were impacted and is offering a free two years of Equifax’s identity monitoring service, but that it also did not detect any unauthorized transactions as a result of the attack.

PayPal accounts breached in early December attack

A breach notification indicates that the credential stuffing attack took place from December 6 to December 8, 2022, when PayPal detected the campaign and cut off access. On December 20 the company verified that some PayPal accounts had been successfully accessed by the attackers.

Though the company says it has not detected any unauthorized transactions, the attackers may have exfiltrated some sensitive data from the compromised PayPal accounts. This includes Social Security or other tax identification numbers in addition to dates of birth, names and home or billing addresses.

It is plausible that attackers would not attempt to transfer any money out of the PayPal accounts after gaining illicit access, if the purpose of the credential stuffing attack was simply to find logins that are re-used across multiple accounts. Getting into PayPal could simply be a demonstration that the logins have value on the underground market as they can open assorted doors, and these particular credentials will be separated out and sold to other threat actors.

PayPal accounts do offer two-factor authentication as an added security option, but it is not required and is not enabled by default. PayPal allows for passwords with a maximum of 20 characters, which can be reasonably strong if proper hygiene is followed but is beneath the standard 25 to 32 characters recommended for protecting highly sensitive accounts from any realistic possibility of falling victim to credential stuffing attacks and other dictionary-based brute force approaches.

Craig Lurey, CTO and Co-Founder at Keeper Security, sees the incident as a call for organizations to improve their defenses against brute force attacks: “Our research shows the average U.S. business experiences 42 cyberattacks per year, three of them successful. While the impact to business operations and financial losses may be the most tangible examples of the damage that these attacks cause, the reputational impacts can be equally devastating. To prevent credential stuffing attacks, cloud-based platforms must implement more advanced device verification systems, so that attackers cannot brute force test passwords. A secure password manager such as Keeper will prevent password attempts on an account if the device being used is not verified and approved by the user. This device verification system inherently creates a second factor without requiring the end-user to go through manual steps to protect their account.”

“High profile breaches must serve as a wake-up call for organizations large and small to implement a zero-trust architecture, enable MFA, and use strong and unique passwords. It’s equally important to train employees how to identify suspicious phishing emails or smishing text messages that seek to install malware into critical systems, prevent user access and steal sensitive data,” advised Lurey.

On that theme Joseph Carson, chief security scientist and Advisory CISO at Delinea, adds: “When employees are left to be responsible for creating passwords and tend to reuse existing passwords or select similar passwords then credential stuffing will continue to be successful.  Organizations can help reduce the risks of credential attacks by moving passwords into the background and rewarding employees with a password manager or privileged access management solution that will help automate passwords. At the same time, it will help to reduce cyber fatigue. Organizations need to look for solutions that are useable, scalable, easily integrate into existing environment, employees want to use and adds value to the business, not only reduce the risks from cyberattacks.”

Credential stuffing attacks continue to be effective in spite of password education campaigns

The first line of defense in limiting credential stuffing attacks is in automatically locking out accounts after too many failed attempts. However, this opens the door to the potential of malicious attacks that get passwords wrong on purpose to intentionally freeze an account. To get around this, the password attempt limits are usually tied to a particular IP address or other piece of individual identifying information and will reset after a certain period of time. Attackers are thus able to get around the defense if they have access to botnets composed of thousands or millions of devices, which can be scripted to continually try login credentials from a variety of different addresses.

Platforms can monitor for unusual patterns of login attempts, but credential stuffing attacks and other brute force approaches backed by botnets have become so common that they hardly register as “unusual” traffic anymore. This should  not absolve organizations of their security responsibilities, but the hard reality is that users must take some proactive actions to ensure that their accounts stay safe. 2FA based on text messages or emails is at least something of an improvement, though some security experts see it as inadequate. The other option for PayPal accounts at present is the use of authentication apps, but it remains vital to follow password best practices.

Matt Rider, Vice President, Sales Engineering at Exabeam, points out that though it took a couple of days to detect the credential stuffing attack and shut it down, PayPal was relatively successful and prompt in containing it given modern conditions: “The sad fact is that many security operation centers (SOCs) still fail to detect credential-based attacks. A lack of visibility into credential misuse is far more common, which makes PayPal’s efforts here a rare exception to the norm.  Organizations generally struggle to spot attackers moving laterally around their networks. The most effective detective capability is the development of a baseline for normal employee behavior, which can specifically assist security teams with identifying the use of compromised credentials for initial access and later maintaining network access.  If you know what normal behavior looks like first, abnormalities are far easier to spot quickly.”

After a rocky start in its early life with hackers frequently breaching PayPal accounts in the early 2000s, the company greatly improved its cybersecurity (to the point that co-founder Peter Thiel established his firm Palantir as an offshoot of the company’s internal security software development).

The company has since had a relatively clean security history for such a major target, at least in terms of major breaches, with most of its public controversy stemming from its payment policies rather than its ability to secure its accounts. The most recent controversy has been a perception that the company is freezing or limiting accounts in response to political speech, with media members of both the political left and right complaining throughout 2022 that PayPal had terminated their accounts with no explanation but that the incidents had come after they had published criticism of United States policy regarding the invasion of Ukraine or Covid-19 vaccinations. In October 2022 the company also made a highly controversial change to its terms of service proposing a $2,500 fine to users it found to be “promoting misinformation,” something it removed and claimed went out in error after intense public backlash.