Paypal suffers major data breach

Check your email...
19 January 2023

Make sure your passwords are secure when you log in.

Nearly 35,000 Paypal users are being contacted after the company suffered a major data breach.

Unlike the recent high-profile ransomware attacks on organizations like The Guardian newspaper and the UK’s Royal Mail, the Paypal attack was significantly more mechanistic in nature. It appears to have been an automated attack, with bots using credential lists to carry out credential stuffing attacks, which “successfully” left users’ personal data exposed for the harvesting.

Credential stuffing?

Credential stuffing attacks are particularly artless affairs – they’re more or less literally a guessing game where bots run the numbers constantly until or unless they’re detected and stopped, or until they hit the correct username and password combinations. It’s worth saying though that the bots rarely start from a clear blue sky – usually, they have lists of pairs to try, which in themselves are sourced from previous data leaks or breaches.

If you continually re-use the same username and password for several online accounts, credential stuffers are your personal Hell – which is why every cybersecurity awareness training course should come with a section on the importance of using something like a password manager, to disincentivize password re-use and make this kind of attack significantly more difficult to carry out.

If you’ve made lots of Paypal transactions in the last handful of days though, don’t panic – the Paypal data breach took place over two days in early December – December 6-8 in fact.

Paypal said nothing.

The company knew it had happened more or less immediately, and took steps to mitigate the attack.

It still said nothing.

A pre-Christmas certainty.

By December 20th, practically a calendar month ago, Paypal had completed its own investigation, confirming that over 30,000 accounts had been accessed using perfectly accurate, valid credentials, garnered by the credential stuffing bot attack method.

It took until January 19th for Paypal to start writing to users whose credentials were compromised in early December. During the 48 hours of the attack, hackers had access to users’ full names, dates of birth, postal addresses, social security numbers, and tax identification numbers. It’s entirely possible they also had access to the credit and debit card details linked to nearly 35,000 users’ Paypal accounts.

PayPal says it took “timely action” to block the unauthorized access to its users’ accounts, but that rather misses the point. If the hackers had access for anything up to 48 hours, they probably still have all the details, which can be sold on or used for their own nefarious purposes.

The notification asserts that the attackers have not attempted — or at least did not manage to perform — any transactions from the PayPal accounts to which they had access.

That’s hardly surprising – if you suddenly gain access to someone’s home address, social security number, and potentially the details of several credit cards, you’re not about to blow it buying a yacht via Paypal. The reward from such an attack tends to come from the data sale value, rather than the direct use of the credentials.

Tick tock…

It took the e-payment site almost a full calendar month to begin the process of notifying its users of the extent of the breach.

Now, as a result of Paypal’s admittedly swift action to lock out the hackers using the legitimate credentials to gain access to the user data, affected users will be required to change their passwords immediately, and will receive two years of free identity monitoring from Equifax.

That’s useful inasmuch as the details taken could be fraudulently used for all sorts of financing and the identity monitoring can help prevent such uses, but the question of why Paypal delayed its notification process for a full month remains one that should be of concern not just to the victims of this attack, but to potential victims everywhere – which is all of us.

Notify sooner to avoid losing public trust.

The Guardian ransomware hack, which compromised the details of staff at one of the UK’s most-read newspapers, was not confirmed by the paper as being a ransomware attack until three weeks later – and then by email to all the staff whose details had been breached.

In the UK’s Royal Mail ransomware attack, the organization publicly quibbled about whether it was a ransomware attack even though it had received a ransom note.

Now Paypal, one of the world’s leading e-payment systems, has waited almost a full month between concluding its own investigation into a data breach and beginning the process of alerting the compromised users to the breach.

The recent dumping of thousands of Twitter users’ data onto hacker forums for free – after there were significant attempts to monetize the sale of the data — is another case where the gap between a breach and the affected users becoming significantly aware of the breach could be argued to be far too long.

A corporate culture of complacency.

The corporate culture of keeping breaches under wraps until either they have been dealt with or until the immediate threat appears to have passed clearly serves the potential victims extremely poorly.

It follows a tradition in software companies, where bugs are not widely reported until there’s a viable solution or patch to them, thereby minimizing the public panic and mistrust of everyday personal – and business – software. There’s an argument that this is valid, although a more rapid bug reporting process would normalize the understanding of quite how often software is released with bugs, errors or weaknesses still intact, and allow buyers to choose their next software package more carefully.

But when their staff or their users have their data exposed to hackers, companies would seem to have a moral, if in no sense a legal responsibility, to let people know as soon as possible, so that the chances of their details being used for criminal purposes are minimized.

In the case of the Paypal data breach, the company is focusing strongly on getting users to employ strong and different passwords (usually at least 12 characters in length, an increase from the 8 of recent years), and adopting multi-factor authentication to make these attacks harder to successfully carry out.

While this is all sound cybersecurity advice, it should not overshadow the delayed notification normality in the corporate culture around data breaches.