Attackers Breach PayPal

In other cybersecurity news this week …

PayPal is notifying thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.

According to Bleeping Computer, nearly 35,000 accounts were accessed.

In a security incident notice, PayPal said it confirmed on Dec. 20 that unauthorized parties were able to access PayPal customer accounts using their login credentials. The unauthorized activity occurred between Dec. 6 and Dec. 8, when it eliminated the unauthorized access.

The personal information that was exposed could have included customers’ names, addresses, Social Security numbers, individual tax identification numbers and/or dates of birth.

“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” PayPal said. “There is also no evidence that your login credentials were obtained from any PayPal systems.”

Joseph Carson is chief security scientist and advisory CISO at Delinea.

“Attackers are looking for high-valued credentials, and those are privileged accounts which allow the attackers access to everything and go anywhere within the network,” he said. “With privileged access, attackers can cause serious damage, steal any data, hide their tracks and sell them for a higher value to other cybercriminals who will abuse them.”

When employees are left to be responsible for creating passwords, and tend to reuse existing passwords or select similar passwords, then credential stuffing will continue to be successful, Carson said.

“Organizations can help reduce the risks of credential attacks by moving passwords into the background and rewarding employees with a password manager or privileged access management solution that will help automate passwords,” he said. “At the same time, it will help to reduce cyber fatigue.”

Ted Miracco is CEO of Approov, a mobile app security provider.

“We are not witnessing the death of password technology, but what we are witnessing (again and again) is the death of the naïveté and wishful thinking that surrounds any technology built on the premise that a single authentication source is a good idea,” he said. “We have rushed to embrace single sign-on (SSO) technologies without fully considering the obvious major disadvantage that it constitutes a single point of failure, as the compromised password lets the intruder into all areas open to the password owner. And in the case of PayPal, the consequences might be quite high for those that built their trust into these systems without additional safeguards like two-factor authentication (2FA) or hardware authentication.”

(Courtesy mrmohock/Shutterstock)