Jump to content
  • PayPal accounts breached in large-scale credential stuffing attack

    alf9872000

    • 1 comment
    • 434 views
    • 3 minutes
     Share


    • 1 comment
    • 434 views
    • 3 minutes

    PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.

     

    Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.

     

    This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services.

     

    Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."

    Close to 35,000 users impacted

    PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts.

     

    By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials.

     

    The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.

     

    According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.

     

    Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.

     

    PayPal says it took timely action to limit the intruders' access to the platform and reset the passwords of accounts confirmed to have been breached.

     

    Also, the notification claims that the attackers have not attempted or did not manage to perform any transactions from the breached PayPal accounts.

     

    "We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account," reads PayPal's notification to impacted users.

     

    "We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account" - PayPal

     

    Impacted users will receive a free-of-charge two-year identity monitoring service from Equifax.

     

    The company strongly recommends that recipients of the notices change the passwords for other online accounts using a unique and long string. Typically, a good password is at least 12-characters long and includes alphanumeric characters and symbols.

     

    Moreover, PayPal advises users to activate two-factor authentication (2FA) protection from the 'Account Settings' menu, which can prevent an unauthorized party from accessing an account, even if they have a valid username and password.

     

    User Feedback

    Recommended Comments

    Paypal.. i remember getting an email from them.. a REQUEST FOR PAYMENT for £1299.76.. for an IPHONE 14 that i never ordered.

    I contacted paypal as it said PAYMENT PENDING on my account.. via their free phone number on their site..

    Told them it was a SCAM.. and what did that do in turn.. NOTHING.. except confirmed to me that it was a SCAM..

    but they couldnt delete the request due to NOTHING ILLEGAL.. if i had paid the person requesting it,, then they say they could as it would be FRAUD..

    but until someone via the same message on their account had paid The person requesting wasn't breaking any law..

     

    so requesting a payment for something they the requestor, never sent or even owned wasnt FRAUD in the eyes of paypal..until someone had sent the money.

    which is why i removed ALL my bank details from my account.. and told them I would never use them again.., the fact i only ever used them to purchase items via ebay.. with the maximum cost of £30.. the £1299.76 didnt seem WRONG to them. And that it wasnt even through EBAY.

    I would suggest everyone with a paypal CLOSE IT and tell PAYPAL why..

     

    NO TRUST IN THE COMPANY.

    just this instance logged in..and i got a message

    "We value you as a customer, and we ask that you carefully consider your decision. If there's a chance that you might want to use PayPal in the future, it's a good idea to keep your account open. There's no fee to keep your account open unless it becomes inactive.

     
    Here’s how to close your PayPal account via website:  "
     
    surely if i no longer use the account therefore by definition it is inactive.. i.e. i dont buy anything via ebay..
    I've attached a screenshot of the aforementioned SCAM.,.

    Snap1.jpg

    Edited by andy2004
    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...