PayPal this week notified tens of thousands of US customers that their logins had been used successfully to access their accounts over a month ago.
The unauthorized access occurred between December 6 and December 8 last year, after which time the firm realized what was happening and “eliminated access” for the threat actors.
“During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users,” the firm said in a breach notification letter posted to the Maine attorney general’s office.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems.”
Even if the threat actors did not make any unauthorized transactions after accessing the 34,942 accounts in question, they may have made off with some highly monetizable personal information.
Exposed personal information “could have included” customer names, addresses, Social Security numbers, individual tax identification numbers and/or dates of birth, said PayPal.
“PayPal has stated that it has no evidence of user accounts being used maliciously, but this should provide little comfort for victims,” argued Julia O’Toole, CEO of MyCena Security Solutions.
“The attackers can now target these victims with phishing emails and identity theft scams and use those passwords again on other sites.”
The attack itself bears all the hallmarks of a credential stuffing campaign – where breached logins stolen from other sites and/or bought on the dark web are fed into automated software and tried across multiple other sites to see if there’s a match.
“This type of breach demonstrates the importance for users to enable two-factor authentication (2FA) and not reuse passwords. This would have been avoided if PayPal had enforced the utilization of 2FA for all of its users,” argued Piiano co-founder and CEO, Gil Dabah.
“Although 2FA is less convenient for users since they need to approve their login using their mobile phone, it is highly recommended to use it, especially when a logged-in user can perform financial transactions.”
Editorial credit icon image: Ink Drop / Shutterstock.com