Nearly 35,000 PayPal Users Have Been Hit by Credential Stuffing Attacks
PayPal representatives informed users about the massive credential stuffing attacks, which have already affected about 35,000 people.
The company emphasizes that the attacks were not due to hacking into PayPal systems, and user credentials seem to have been obtained from other sources.Let me remind you that we also said that Magento: PayPal $0 Dollar Transaction Issue, and also that Xiaomi Smartphones with MediaTek Chips Are Vulnerable to Counterfeit Payments.
In addition, information security specialists said that PayPal accounts were massively attacked through integration with Google Pay.
Let me remind you that the term credential stuffing usually refers to situations where usernames and passwords are stolen from some sites and then used on others. That is, attackers have a ready-made credential database (acquired on the dark web, collected on their own, and so on) and try to use this data in automated attacks to log in to other sites and services under the guise of their victims.
PayPal reports that credential spoofing attacks occurred between December 6 and 8, 2022. The company then detected suspicious activity and took action to stop it, and also launched an internal investigation to find out how hackers get access to other people’s accounts.
By around December 20, 2022, the investigation was completed, confirming that unauthorized persons logged into other people’s accounts using valid credentials.
As a result, the incident affected 34,942 users. Within two days, the hackers had access to the full names of account holders, their dates of birth, postal addresses, social security numbers and individual taxpayer identification numbers. The attackers also had access to transaction histories, information about the connected credit or debit cards, and billing data.
PayPal assures that it detected the attacks in a timely manner and took measures to limit attackers’ access to the platform, as well as reset passwords from accounts that were hacked. At the same time, it is alleged that the attackers did not try or could not carry out any transactions from the hacked accounts.