PayPal Accounts Breached in Large-Scale Credential Stuffing Attack (bleepingcomputer.com) 34
PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data. From a report: Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."
PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them. According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.
PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them. According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.
Plain text password storage? Still? (Score:2)
Credential stuffing was born after developers started storing passwords in plain text.
Man... who'd be dumb enough to do something so stupid?
Make anything other than 1 way hash password storage a felony, watch credential stuffing die off.
Re:Plain text password storage? Still? (Score:5, Informative)
That's not how it is done anymore. Now you go on the dark web and buy the user database from some hacked system (they might be brute-forcing or using an insecure hash or encryption algo), then you start attacking other sites using those purchased creds.
I admit, I used to do a variation of this, I had a memorized 8 char random string but would tack on a site-related detail to make the password unique, for example the slashdot password ending with SD.
I've long since given this up after moving to 1password. Now each site has its own, unique 20+ character password and 2FA for whomever supports it...
Re: (Score:2)
That was my old system too. I need to look at old passwords, because a lot of them aren't very secure. Changed PayPal while I was at it...
Re: (Score:2)
This doesn't require servers storing passwords in the clear.
Users have to have a plethora of passwords, so they either use the same password (or minor variations) everywhere or use a password manager. Even when using the same/varied password everywhere, users will tend to let their browser store it for them for convenience. Either way, the users have the passwords stored locally, and/or possibly in "the cloud", are so are subject to compromise.
Also, sometimes a site is compromised and used to snoop password
Re: (Score:2)
You should spend some time on Stack Overflow. There's barely a day goes by without somebody posting code they're having trouble with that clearly shows them using plaintext passwords in databases, in amongst all the other problems like SQL Injection and 2-digit years in dates.
All these acadamies and univeristies are churning out "coders" that have no concept of maintainability, reliability nor security.
Anyone reusing passwords should be... (Score:2)
Re: (Score:2)
I'm not disagreeing, at all. It seems obvious that security needs to improve. What are some examples of MFA that you would suggest?
Re: Anyone reusing passwords should be... (Score:1)
Whatever PayPal has implemented will be better than nothing, even if email with code is not great and code on SMS has its downfall.
Given a choice, for general public, I think that Google/Lastpass/ms Authenticator scheme (all based on the same RFC) is good enough.
Of course,FIDO stuff is better, but less common.
Re: (Score:2)
Thanks, I'll have to read up on those.
I very strongly oppose anything that has to do with a phone number. Not only do I not give it out, but phone numbers are more fungible than ever. I've changed mine at least 5 times in the past 7 or so years, and might change it again in a couple of weeks.
Also, phone number usage seems to me to be very insecure on many levels; not even going to get into SMS.
First glance, not Paypal's fault? (Score:3)
Compromised passwords available online, leaked from other places, also work on paypal because the users are using the same passwords on multiple accounts, right? Enable MFA. Don't reuse passwords. Problem solved. "Paypal accounts breached" is misleading. They seem to have been logged into properly and validly. Paypal wasn't hacked. Or am I missing some nuance? Sounds like they were on it pretty quickly, and nobody got screwed.
Re: (Score:3)
They weren't hammering passwords on identified accounts - they were trying passwords from a list of known compromised accounts, probably using distributed source IPs. So probably one or two hits per account, which wouldn't trigger such a response. It's not a brute force attack.
Re:First glance, not Paypal's fault? (Score:4, Insightful)
Passwords suck, but if done right via a password manager, they are good enough. Many transactions on the Internet use S3 API usernames and passwords, both randomized strings, and those are not something you see breached, unless the credential was compromised on an endpoint.
Passkeys and such are interesting, but with passwordless security, you lose recoverability. For example, what happens if one loses their authentication device, and can't sync it. Being able to export all passwords to an encrypted container that is accessible even if one's account with a PW storage provider is obliterated is critical.
What is really needed is another shared secret, two way authentication protocol, just like the Google Authenticator TOTP standard, but as part of the process, it would pop up a number, and on the authenticating device, show 4-5 numbers, ask the user to pick the one that popped up. This will greatly mitigate MFA fatigue. Microsoft does this, but having an open protocol, where one could back their seeds up, or export them to another app is a must.
Re: (Score:2)
People who reuse the same password (Score:2)
deserve everything they get.
And in this day and age, if the option is available, so do those who don't set up 2FA.
Re: (Score:3, Insightful)
Why include "alt-right conspiracy sites"? That non sequitur is just weird and pointless. The technically uninformed are well represented across all political demographics.
Re: (Score:3)
so do those who don't set up 2FA.
... and I'd also like a word with the 90% of sites that don't allow anything other than SMS for 2FA. Sometimes I feel like it's less about security than about maintaining a list of known-valid numbers for text spam.
Things like YubiKey or Authenticator need to get more popular, and sites need to quit offering SMS as the only option, and also allow disabling it as a password reset option to protect against SIM swaps.
Re:People who reuse the same password (Score:4, Insightful)
I wish sites offered at least three options:
1: Google Authenticator TOTP. This is a standard across all operating systems, and random TOTP seeds can be moved among programs. Easy to use, widespread, and solidly secure.
2: FIDO tokens. This is something that will help greatly to cut down on remote attacks, just because of the required press on the button. However, it can't 100% replace Google Authenticator tokens, because one may not have their FIDO token, and we still have yet to see Apple and Android offer that functionality, in the devices.
3: A Password Card [passwordcard.org] which one can print out, and just like the Google Authenticator, used a shared secret. Except it prints out a card you can put in your wallet. It is low tech, but is secure enough, and can be used for pass phrases. Of course, it isn't truly "one time", because if an attacker can watch the connection, they can start to figure out values, like in row x, column y, there is a letter "C" over time... but the same problem happens with passwords as well, and the password card provides "good enough" 2FA value, especially if it is intended as a means of recovering an account and less of a day to day access point. Even for day to day usage, it still provides solid enough security.
4: Present a token, and the user signs it with their GPG key and pastes the clearsigned info into a field. It is a tad awkward, but for a recovery method, it works well, and is very secure.
The tough part is having some low-tech means for recovering an account should one lose both their password and 2FA, as well as their email addresses. Something like a list of recovery codes in addition to a password card would suffice for both of these things, especially if printed off and stored safely offline.
Re: (Score:2)
Agree ...
More and more sites offer 2FA One Time Passwords now. ...
That includes Google itself, as well as Paypal
And you are not tied to Google's app.
You can install FreeOTP+ from the app store, or F-Droid, and you are goldern.
As a backup, I also install the oathtool .deb package on my Ubuntu laptop, backup the hashes to a text file, and
things I already know (Score:3)
Why would they be able to obtain these details by logging in as the user ?
If I log into paypal I already know my SSN, I don't need to be able to learn it from there and if I have any doubt about it I can type it in and paypal can confirm by some other path (email, SMS etc.) that they have the right info.
There are no circumstances I can see why even someone with my password should be able to read these details directly and it seems negligent to me that paypal or any other company should allow that
Re: (Score:2)
Why would they be able to obtain these details by logging in as the user ?
If I log into paypal I already know my SSN, I don't need to be able to learn it from there and if I have any doubt about it I can type it in and paypal can confirm by some other path (email, SMS etc.) that they have the right info.
There are no circumstances I can see why even someone with my password should be able to read these details directly and it seems negligent to me that paypal or any other company should allow that
Perhaps Paypal has a configuration screen which allows you to change information about yourself, and shows the current value.
Re: (Score:3)
Stuffing Attack (Score:2)
If that's not a funny euphemism, then I don't know what is.
How to cancel a PayPal account? (Score:2)
Re: (Score:2)
1. Open the app
2. Click profile icon
3. Click "Close your account"
Similar instructions if you'd rather use the website instead of the app.
Re: (Score:2)
Sounds so easy, of course so is not using the same password more than once.
Re: (Score:2)
of course so is not using the same password more than once
Right? Back when I signed up for PayPal password managers weren't a thing, so I'm sure I started out using some variation of my "normal" password at the time. This day and age, there is no excuse for using anything other than a password that looks like you handed your keyboard to a toddler.