PayPal has notified thousands of its users who have been impacted by a series of credential-stuffing attacks. The company has alerted the 35,000 users it found to be affected. However, more than a million users could be at risk suggested a security researcher.
Alon Gal, Co-Founder and CTO at Hudson Rock, told The Cyber Express that the 35,000 user accounts were likely compromised by bruteforce attempts. Hudson Rock has identified over 1,350,000 PayPal users credentials, which were obtained by hackers as a result of info-stealer infections.
“The growing threat of info-stealers infections should be a larger concern to PayPal rather than bruteforce attempts originating from passwords reused from database leaks,” he explained.
The info-stealers data they collected indicates that over 1,350,000 users credentials are in the hands of hackers, with more getting added every day, according to the Hudson Rock intel. Some compromised credentials of PayPal employees complicate the situation.
PayPal Cyberattack, users at risk
The involved using automated bots to try out the username and password combinations sourced from data leaks on various websites and resulted in unauthorized access to some personal data.
The attacks targeted users who use the same password for multiple online accounts, a common practice known as “password recycling.
PayPal has stated that the attacks were not a result of a breach in their systems, and there is no evidence to suggest that the user credentials were obtained directly from them.
On January 18, 2023, PayPal notified 35,000 users who could have been affected by the data breach. “We want to make clear at the outset that keeping personal data safe and secure is and will continue to be a priority moving forward,” reads the notification email sent by PayPal.
The hackers behind the recent attack were able to gain access to user accounts through credential stuffing. This method uses automated bots to test a list of username and password combinations on websites sourced from past data breaches.
As a result, login portals for multiple services are flooded with these credentials, making it easier for hackers to gain access.
PayPal data leak explained
According to the notification email sent by PayPal, the online payment giant confirmed a data leak on December 20, 2022. The company stated that “unauthorized parties were able to access” the information of PayPal users using their login credentials.
Investigation revealed that the attack took place between December 6, 2022, and December 8, 2022. According to PayPal’s notification email, the company was revaluating its third-party partners and the access protocols, which inadvertently glitched and opened the access to third party members.
This allowed hackers, and other potential infiltration parties to view and potentially acquire some personal information, including full name, mailing address, social security number, unique tax identification number, and birthdate for certain PayPal users.
Upon learning about the incident, PayPal started mitigating the attack and resetting the passwords of the affected users, followed by implementing more security controls over the accounts.
PayPal Cyberattack, bigger than imagined
Meanwhile, Gal and his team at Hudson Rock, found that their in-house Hudson Rock info-stealers found data indicating that “over 1,350,000 users’ credentials are in the hands of hackers.
Gal explained that more customer data and login information being added to the leak, including some employee data, indicating a wider risk of user data.
The 35,000 is likely from bruteforce attempts based on information from leaked databases,” Gal told The Cyber Express, explaining the mismatched numbers.
“The 1,350,000 is from computers compromised by info-stealers that also have a login credential to paypal.com.”
Image: Hudson Rock
PayPal is one of the largest online payment platforms in the world. As of 2022, the company had over 429 million active accounts and operated in more than 200 markets, and it’s available in more than 100 currencies.
However, just like any other online account, PayPal can be vulnerable to hacking and cybercrime if not appropriately protected.