Another friendly PSA to update those passwords, especially if you use the same ones across multiple accounts. Another breach has occurred, and it looks like attackers are using known login information used across multiple websites to get your data. This means an innocent little login on a long forgotten website might give bad actors access to more important things like your PayPal account.
According to Bleeping Computer (opens in new tab), 34,942 PayPal users have been affected by this latest credential stuffing attack on its systems. Credential stuffing is an automated approach where as many known logins as possible are stuffed into a website, which is why password recycling is a problem.
Many websites won’t have the kind of security that, say, your bank or PayPal will employ to protect your personal details. It makes sense: most people don’t store their valuables in a plastic safe, but you also wouldn’t put the PIN to your real safe inside one. If you’re using the same password, especially if combined with the same login across multiple sites, it just makes things that much easier for the bad guys.
PayPal has found (opens in new tab) this attack took place in early December 2022, and after investigating was able to confirm the likelihood of credential stuffing being used.
For the two days the attack was running, hackers had access to all sorts of personal information, including full names, birth dates, address, social security numbers, and tax identification. They could also see PayPal transaction details that include credit card and bank information.
But what’s kind of weird is they didn’t do anything with this information. At least, not yet. PayPal hasn’t found evidence of the attackers trying to make transactions, or anything else from the sounds of things. It’s uncertain if this was the efforts of someone simply seeing if they could, like the recent exposer of the TSA no-fly-list (opens in new tab), or if we should expect more nefarious actions to follow.
PayPal has changed passwords and notified impacted users, along with providing two years worth of pro bono Equifax identity monitoring to keep an eye on things. The company recommends everyone enable two-factor authentication to help protect against these attacks in future, and of course change and stop recycling your passwords (opens in new tab). Especially in places you plan to keep important stuff like your identity.