Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

PayPal Accounts Breached in Large-Scale Credential Stuffing Attack (bleepingcomputer.com) 34

PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data. From a report: Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites. This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services. Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."

PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts. By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials. The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them. According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.

This discussion has been archived. No new comments can be posted.

PayPal Accounts Breached in Large-Scale Credential Stuffing Attack

Comments Filter:
  • Credential stuffing was born after developers started storing passwords in plain text.
    Man... who'd be dumb enough to do something so stupid?
    Make anything other than 1 way hash password storage a felony, watch credential stuffing die off.

    • by dark.nebulae ( 3950923 ) on Friday January 20, 2023 @11:47AM (#63225382)

      That's not how it is done anymore. Now you go on the dark web and buy the user database from some hacked system (they might be brute-forcing or using an insecure hash or encryption algo), then you start attacking other sites using those purchased creds.

      I admit, I used to do a variation of this, I had a memorized 8 char random string but would tack on a site-related detail to make the password unique, for example the slashdot password ending with SD.

      I've long since given this up after moving to 1password. Now each site has its own, unique 20+ character password and 2FA for whomever supports it...

      • That was my old system too. I need to look at old passwords, because a lot of them aren't very secure. Changed PayPal while I was at it...

    • by Burdell ( 228580 )

      This doesn't require servers storing passwords in the clear.

      Users have to have a plethora of passwords, so they either use the same password (or minor variations) everywhere or use a password manager. Even when using the same/varied password everywhere, users will tend to let their browser store it for them for convenience. Either way, the users have the passwords stored locally, and/or possibly in "the cloud", are so are subject to compromise.

      Also, sometimes a site is compromised and used to snoop password

    • You should spend some time on Stack Overflow. There's barely a day goes by without somebody posting code they're having trouble with that clearly shows them using plaintext passwords in databases, in amongst all the other problems like SQL Injection and 2-digit years in dates.

      All these acadamies and univeristies are churning out "coders" that have no concept of maintainability, reliability nor security.

  • ...notified that their account has been breached!
  • by Petersko ( 564140 ) on Friday January 20, 2023 @11:27AM (#63225320)

    Compromised passwords available online, leaked from other places, also work on paypal because the users are using the same passwords on multiple accounts, right? Enable MFA. Don't reuse passwords. Problem solved. "Paypal accounts breached" is misleading. They seem to have been logged into properly and validly. Paypal wasn't hacked. Or am I missing some nuance? Sounds like they were on it pretty quickly, and nobody got screwed.

    • by Pascoea ( 968200 )
      Idk, I feel like "breached" is a decent enough verb for the situation. They certainly weren't hacked, their idiot users dropped their car keys in the parking lot and were shocked to find that their car went missing. Idk what else PayPal could do here. Other than being proactive about searching available password dumps and notifying customers that their password is out in the wild, maybe?
  • deserve everything they get.

    And in this day and age, if the option is available, so do those who don't set up 2FA.

    • so do those who don't set up 2FA.

      ... and I'd also like a word with the 90% of sites that don't allow anything other than SMS for 2FA. Sometimes I feel like it's less about security than about maintaining a list of known-valid numbers for text spam.

      Things like YubiKey or Authenticator need to get more popular, and sites need to quit offering SMS as the only option, and also allow disabling it as a password reset option to protect against SIM swaps.

      • by ctilsie242 ( 4841247 ) on Friday January 20, 2023 @01:33PM (#63225710)

        I wish sites offered at least three options:

        1: Google Authenticator TOTP. This is a standard across all operating systems, and random TOTP seeds can be moved among programs. Easy to use, widespread, and solidly secure.

        2: FIDO tokens. This is something that will help greatly to cut down on remote attacks, just because of the required press on the button. However, it can't 100% replace Google Authenticator tokens, because one may not have their FIDO token, and we still have yet to see Apple and Android offer that functionality, in the devices.

        3: A Password Card [passwordcard.org] which one can print out, and just like the Google Authenticator, used a shared secret. Except it prints out a card you can put in your wallet. It is low tech, but is secure enough, and can be used for pass phrases. Of course, it isn't truly "one time", because if an attacker can watch the connection, they can start to figure out values, like in row x, column y, there is a letter "C" over time... but the same problem happens with passwords as well, and the password card provides "good enough" 2FA value, especially if it is intended as a means of recovering an account and less of a day to day access point. Even for day to day usage, it still provides solid enough security.

        4: Present a token, and the user signs it with their GPG key and pastes the clearsigned info into a field. It is a tad awkward, but for a recovery method, it works well, and is very secure.

        The tough part is having some low-tech means for recovering an account should one lose both their password and 2FA, as well as their email addresses. Something like a list of recovery codes in addition to a password card would suffice for both of these things, especially if printed off and stored safely offline.

        • by kbahey ( 102895 )

          1: Google Authenticator TOTP. This is a standard across all operating systems, and random TOTP seeds can be moved among programs. Easy to use, widespread, and solidly secure.

          Agree ...

          More and more sites offer 2FA One Time Passwords now.
          That includes Google itself, as well as Paypal ...

          And you are not tied to Google's app.
          You can install FreeOTP+ from the app store, or F-Droid, and you are goldern.

          As a backup, I also install the oathtool .deb package on my Ubuntu laptop, backup the hashes to a text file, and

  • by bugs2squash ( 1132591 ) on Friday January 20, 2023 @11:48AM (#63225386)

    Why would they be able to obtain these details by logging in as the user ?

    If I log into paypal I already know my SSN, I don't need to be able to learn it from there and if I have any doubt about it I can type it in and paypal can confirm by some other path (email, SMS etc.) that they have the right info.

    There are no circumstances I can see why even someone with my password should be able to read these details directly and it seems negligent to me that paypal or any other company should allow that

    • Why would they be able to obtain these details by logging in as the user ?

      If I log into paypal I already know my SSN, I don't need to be able to learn it from there and if I have any doubt about it I can type it in and paypal can confirm by some other path (email, SMS etc.) that they have the right info.

      There are no circumstances I can see why even someone with my password should be able to read these details directly and it seems negligent to me that paypal or any other company should allow that

      Perhaps Paypal has a configuration screen which allows you to change information about yourself, and shows the current value.

      • by Pascoea ( 968200 )
        OP's point still stands. What's wrong with displaying it as ***-**-4321? Having it in plaintext anywhere is just another security vector that doesn't need to be there.
  • If that's not a funny euphemism, then I don't know what is.

  • I've tried to cancel my PayPal account. I haven't been successful.
    • by Pascoea ( 968200 )
      https://www.paypal.com/us/cshe... [paypal.com]
      1. Open the app
      2. Click profile icon
      3. Click "Close your account"

      Similar instructions if you'd rather use the website instead of the app.
      • Nice of you to help, only 34,941 to go.

        Sounds so easy, of course so is not using the same password more than once.
        • by Pascoea ( 968200 )

          of course so is not using the same password more than once

          Right? Back when I signed up for PayPal password managers weren't a thing, so I'm sure I started out using some variation of my "normal" password at the time. This day and age, there is no excuse for using anything other than a password that looks like you handed your keyboard to a toddler.

It's a naive, domestic operating system without any breeding, but I think you'll be amused by its presumption.

Working...