Skip to content

Lessons from PayPal’s Credential Stuffing Attack That Affected 35K Users

Last month, PayPal was hit by a credential stuffing attack, a type of cyber-attack where hackers use lists of stolen login credentials, typically obtained from data breaches or other sources, to gain access to user accounts on various platforms. 

The attack occurred between December 6 and December 8, and the company was able to detect the incident and limit the attackers’ access to the system. An investigation revealed that unauthorized attackers could access 34,942 PayPal users’ accounts, including personal information like full names, birthdates, postal addresses, social security numbers, and unique tax identification numbers.

“Based on our analysis about 39% of breaches are caused due to stolen or default credentials. Users often use the same passwords on multiple sites”, said Bikash Barai, CEO & Co-founder, FireCompass. He further added that “users must avoid reusing passwords as well as common guessable ones. Companies should conduct regular assessment of stolen credentials and proactively warn users and also mandate 2 factor authentication”.

Based on our analysis about 39% of breaches are caused due to stolen or default credentials. Users often use the same passwords on multiple sites

Bikash Barai, CEO And Co-Founder, FireCompass Tweet

PayPal responded quickly to the breach by changing the passwords of the affected accounts and limiting the attackers’ access to the system. The company claims that the incident was not the result of a system breach, and there was no proof that attackers directly stole user credentials from the platform. Additionally, the attackers have not attempted any transactions after accessing the users’ accounts.

In response to the attack, PayPal is notifying all users whose data has been compromised and urges those who receive the notices to change their passwords for other accounts to stronger ones that are unique and long. Additionally, the company suggests that users enable two-factor authentication (2FA) security through the ‘Account Settings’ menu, which can prevent an unauthorized person from accessing an account even if they have a valid username and password.

For compensation, PayPal will provide affected users with a free two-year identity monitoring service. It’s important for users to take proactive steps to protect themselves from credential stuffing attacks by using unique, strong passwords and enabling two-factor authentication, monitoring their accounts regularly and reporting suspicious activity, and being cautious of phishing emails.

The key learnings are:

  • Credential stuffing attacks are becoming more common and can be used to gain access to user accounts on various platforms.
  • Enabling two-factor authentication and using unique, strong passwords can help protect against these types of attacks.
  • Users should also be cautious of phishing emails and report any suspicious activity on their accounts.
  • Companies should conduct regular assessments of stolen credentials and proactively warn users.
  • Companies should mandate 2 factor authentication.