PayPal says hackers accessed nearly 35,000 accounts in early December using valid passwords obtained from breaches of other websites
PayPal has said a large-scale breach of user data it disclosed late last week was due to rampant password reuse amongst its users.
In a notification it sent to users starting last Thursday the digital payments giant said some 34,942 had their accounts accessed during a two-day period in early December.
While it said no transactions were carried out by the intruders, the hackers were able to access detailed personal data including full names, dates of birth, postal addresses, social security numbers and individual tax identification numbers.
The hackers initially accessed accounts on 6 and 8 December, with PayPal saying it detected and mitigated the campaign at that time.
An internal investigation into the incident concluded on 20 December, finding the attackers had used valid credentials.
It said it had found no evidence of a security exploit on its systems or that the credentials were obtained directly from PayPal, meaning they were likely to have been garnered from breaches at other online services.
PayPal concluded the incident was a credential-stuffing attack, in which attackers try out credentials obtained elsewhere until they find one that works.
The company said it limited the hackers’ access at the time and reset the passwords of the accounts known to have been breached.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorised transactions on your account,” PayPal said in its notification.
“We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account.”
Affected users are to receive two years of free identity monitoring from Equifax.
PayPal recommended users to ensure they aren’t reusing passwords across services.
Baber Amin, chief operating officer of computer security firm Veridium, said companies can institute processes to identify anomalous behaviour such as “the vast number of login failures from a credential stuffing attack”, as well as encouraging tools such as two-factor authentication.
Orange Cyberdefense UK director Chris Deverill said companies have limited control over their users’ behaviour, but can improve their own security posture through, for instance, improving the awareness and education of their own staff.
“The credential stuffing attack suffered by PayPal proves how easy it can be for malicious actors to breach an organisation,” Deverill said.
“Even as a low-skilled threat actor, you can easily buy user credentials from the dark web and push out login attempts to see what you can gain access to.”