PayPal has notified thousands of its users who have been impacted by a series of credential-stuffing attacks. The company claims that only 35,000 users were affected, but more than a million users are at risk says a security researcher.
Alon Gal, Co-Founder and CTO at Hudson Rock, has termed the figure 35,000 as “peanuts”. He puts the actual number more than one million.
“Hudson Rock info-stealers data indicates they have over 1,350,000 users credentials that are in the hands of hackers, with more getting added every day, not to mention some compromised PayPal employees as well.” Gal said in his post.
“Database leaks credentials stuffing is so passé, today hackers use credentials from compromised computers,” he added.
PayPal Cyberattack, users at risk
The involved using automated bots to try out the username and password combinations sourced from data leaks on various websites and resulted in unauthorized access to some personal data.
The attacks targeted users who use the same password for multiple online accounts, a common practice known as “password recycling.
PayPal has stated that the attacks were not a result of a breach in their systems, and there is no evidence to suggest that the user credentials were obtained directly from them.
On January 18, 2023, PayPal notified 35,000 users who could have been affected by the data breach. “We want to make clear at the outset that keeping personal data safe and secure is and will continue to be a priority moving forward,” reads the notification email sent by PayPal.
The hackers behind the recent attack were able to gain access to user accounts through credential stuffing. This method uses automated bots to test a list of username and password combinations on websites sourced from past data breaches.
As a result, login portals for multiple services are flooded with these credentials, making it easier for hackers to gain access.
PayPal data leak explained
According to the notification email sent by PayPal, the online payment giant confirmed a data leak on December 20, 2022. The company stated that “unauthorized parties were able to access” the information of PayPal users using their login credentials.
Investigation revealed that the attack took place between December 6, 2022, and December 8, 2022. According to PayPal’s notification email, the company was revaluating its third-party partners and the access protocols, which inadvertently glitched and opened the access to third party members.
This allowed hackers, and other potential infiltration parties to view and potentially acquire some personal information, including full name, mailing address, social security number, unique tax identification number, and birthdate for certain PayPal users.
Upon learning about the incident, PayPal started mitigating the attack and resetting the passwords of the affected users, followed by implementing more security controls over the accounts.
PayPal Cyberattack, bigger than imagined
Alon Gal, Co-Founder & CTO at Hudson Rock, says that their in-house Hudson Rock info-stealers found data indicating that over “1,350,000 users’ credentials are in the hands of hackers”.
Moreover, Gal also explained that more customer data and login information being added to the leak, including some employee data — contradicting what PayPal has shared in the notification emails.
Image: Hudson Rock
PayPal is one of the largest online payment platforms in the world. As of 2022, the company had over 429 million active accounts and operated in more than 200 markets, and it’s available in more than 100 currencies.
However, just like any other online account, PayPal can be vulnerable to hacking and cybercrime if not appropriately protected.