35,000 PayPal accounts breached in credential stuffing attack

PayPal Application Ahead Of Earnings Figures
An unauthorized party gained access to the accounts last month using one of the most common techniques deployed in data breaches.
Gabby Jones/Bloomberg

A digital intruder gained access to 34,942 PayPal customers' accounts last month in a credential stuffing attack that exposed names, dates of birth, addresses, Social Security numbers, tax IDs and phone numbers, the company told affected customers this week.

The size of the attack pales in comparison to the 432 million active accounts PayPal said it had as of November. The nature of credential stuffing attacks is that they only need to work a small percentage of the time to be effective because of the grand scale at which they can operate.

In a credential stuffing attack, a fraudster programmatically tries logging into a website (or more often multiple websites) using username and password pairs obtained from other data breaches, phishing or other methods. It is one of the most common techniques threat actors use to take over accounts, according to the OWASP Foundation, a global cybersecurity nonprofit.

In this case, PayPal said it was unclear how exactly the intruder obtained the credentials used in the attack, but it said it had no evidence that the intruder got them from any PayPal systems and that they "likely" used phishing instead.

Individuals can reduce their risk of falling prey to a credential stuffing attack through a number of methods, such as turning on multifactor authentication. This creates another barrier (or two, or more) for attackers such that, even if they know the password, they would still need the second authentication method — often a six-digit code sent via text message — to access the account.

"Multifactor authentication is by far the best defense against the majority of password-related attacks," according to OWASP's guide to defending against credential stuffing.

Because of how effective multifactor authentication can be, the Consumer Financial Protection Bureau requires that financial institutions implement multifactor authentication if they wish to avoid punitive measures.

Individuals can also reduce their risk by using unique passwords for each account they hold. For most people, this requires creating a large number of unique passwords (to match the large number of accounts they hold), which necessitates the use of a password manager — a leading security recommendation even after the recent breach of the popular password manager LastPass.

Institutions have a number of options for limiting the efficacy of credential stuffing attacks as well. Beyond requiring multifactor authentication on accounts, OWASP says institutions can use several methods for detecting and blocking attackers attempting to log in to a large number of accounts.

These methods often require checking how suspicious a login attempt is. If an institution gets a login request for a user who has never used the IP address or web browser that sent the request, that is usually enough to warrant suspicion.

Once that suspicion kicks in, the institution can send a CAPTCHA (a test that can, for example, involve identifying which images contain an object like a stop light) to see whether the request came from a human. In case of a failure or lack of response, the institution can block that IP address from further attempts, or limit the number of attempts it accepts from the address.

Some observers praised PayPal's timely handling of the attack. Matt Rider, the vice president of sales engineering for the cybersecurity company Exabeam, said it appeared "PayPal got their arms around this well and should be applauded for doing so" after the company cut off unauthorized access to the accounts two days after the intruder gained initial entry.

Rider said PayPal's handling of the incident is likely the result of "good security education within the organization, established visibility and effective technical capabilities."

Historically, PayPal has indeed had a strong security culture. The company was among the first financial services companies to establish a bug bounty program, which in 2012 was a novel cybersecurity measure that involved paying friendly hackers to try to break into their systems as a way of identifying and patching security holes.

One of the lessons from the PayPal attack, then, is that such credential stuffing can impact even security-conscious institutions. According to Rider, many companies fail to detect credential-based attacks because they lack a sense of what makes a login attempt suspicious — hence, what might warrant blocking further attempts.

To minimize credential-stuffing attacks, institutions need to know what normal behavior looks like first, he said. After that, "abnormalities are far easier to spot quickly."

For reprint and licensing requests for this article, click here.
Cyber attacks Cyber security Payments
MORE FROM AMERICAN BANKER