PayPal notified tens of thousands of US customers this week that their login was successfully used to access their accounts over a month ago.
The unauthorized access occurred from December 6th to December 8th last year. The company then realized what was going on and “excluded” the attackers.
“During this time, it was possible for unauthorized third parties to view and obtain the personal information of certain PayPal users,” the company said in a notice of infringement sent to the Office of the Attorney General of Maine. I’m here.
“There is no information to suggest that your personal information has been misused or that there have been unauthorized transactions on your account as a result of this incident. There is no proof.”
After gaining access to the 34,942 accounts in question, even if the attackers didn’t make any unauthorized transactions, they may have obtained highly profitable personal information.
The exposed personal information “could have included” the customer’s name, address, social security number, individual tax identification number, and/or date of birth, PayPal said.
MyCena Security Solutions CEO Julia O’Toole said:
“Attackers could target these victims with phishing emails and identity theft scams, allowing those passwords to be reused on other sites.”
The attack itself has all the hallmarks of a credential stuffing campaign. In this campaign, compromised logins stolen from other sites or purchased on the dark web are fed to automated software to try and match multiple other sites.
“This type of breach demonstrates the importance of users enabling two-factor authentication (2FA) and not reusing passwords. , this could have been avoided,” said Gil Dabah, co-founder and CEO of Piiano.
“Although 2FA is inconvenient for users because they have to use their mobile phone to approve logins, we strongly recommend using 2FA, especially if the logged-in user can perform financial transactions. .”
Editorial Credit Icon Image: Ink Drop / Shutterstock.com