Jump to content

PayPal accounts breached in credential stuffing attack (35k affected)

Mark Kaine
 Share

PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.

 

Quotes

Quote

 

Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."

 

 

Quote

Close to 35,000 users impacted

 

Quote

Impacted users will receive a free-of-charge two-year identity monitoring service from Equifax.

 

My thoughts

 Seems like a typical brute force attack,  I'm surprised this doesn't happen more often - likely paypal is blocking such attempts outright normally?

Also seems weird they could keep this secret for so long with emails to affected users going out etc. 

 

Sources

 https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/

The direction tells you... the direction

-Scott Manley, 2021

 

Softwares used:

Corsair Link (Anime Edition) 

MSI Afterburner 

OpenRGB

Lively Wallpaper 

OBS Studio

Shutter Encoder

Avidemux

FSResizer

Audacity 

VLC

WMP

GIMP

HWiNFO64

Paint

3D Paint

GitHub Desktop 

Superposition 

Prime95

Aida64

GPUZ

CPUZ

Generic Logviewer

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

... Why does paypal have your SSN ??? I use it in Canada and they sure don't have my SIN (SSN equivalent in Canada). 

CPU: AMD Ryzen 3700x / GPU: Asus Radeon RX 6750XT OC 12GB / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 10 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

16 minutes ago, TetraSky said:

... Why does paypal have your SSN ??? I use it in Canada and they sure don't have my SIN (SSN equivalent in Canada). 

yeah, idk either, maybe its a credit / pay later thing?

The direction tells you... the direction

-Scott Manley, 2021

 

Softwares used:

Corsair Link (Anime Edition) 

MSI Afterburner 

OpenRGB

Lively Wallpaper 

OBS Studio

Shutter Encoder

Avidemux

FSResizer

Audacity 

VLC

WMP

GIMP

HWiNFO64

Paint

3D Paint

GitHub Desktop 

Superposition 

Prime95

Aida64

GPUZ

CPUZ

Generic Logviewer

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

55 minutes ago, TetraSky said:

... Why does paypal have your SSN ??? I use it in Canada and they sure don't have my SIN (SSN equivalent in Canada). 

I think from memory I had to give them my drivers license ID number, driver license is an official identification here so that would be why they ask for it. What they don't ask for and isn't one of the options is my IRD number (SSN equivalent).

 

Quote

PayPal asks for SSN because it needs the data for sales or credit information. You do not need to provide your social security number for buying transactions. Legally, you are not obligated to supply the number as a buyer.

Sounds like the only reason it's required is if you are a seller that uses PayPal.

Link to comment
Share on other sites

Link to post
Share on other sites

57 minutes ago, Mark Kaine said:

yeah, idk either, maybe its a credit / pay later thing?

Pretty sure in the US PayPal offers a service like PayBright/Affirm does here in Canada, buy now and pay later kind of quick loan. That's probably why they'd need an SSN, credit checks and the like.

The New Machine: Intel 11700K / Strix Z590-A WIFI II / Patriot Viper Steel 4400MHz 2x8GB / Gigabyte RTX 3080 Gaming OC w/ Bykski WB / x4 1TB SSDs (x2 M.2, x2 2.5) / Corsair 5000D Airflow White / EVGA G6 1000W / Custom Loop CPU & GPU

 

The Monster: Athlon XP 2800+ @ 2.3GHz, Asus A7N8X, 2x1GB DDR400, ATi X850 XT AGP, WD 80GB Caviar (PATA), No-Name 700W PSU, Deepcool Tesseract

 

The Overclocker: Core2Extreme QX9650 @4.5GHz, EVGA 790i FTW Digital, 4x2GB HyperX DDR3 1800, Kingston 240GB SSD, Zotac 9800 GTX x2 SLI, Custom loop cooling

Link to comment
Share on other sites

Link to post
Share on other sites

PayPal requires it of a seller using their service so the identity can be validated for the IRS.

 

Quote

"All US payment processors, including PayPal, are required to provide information to the US Internal Revenue Service (IRS) about customers who receive payments for the sale of goods and services."

 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, TetraSky said:

... Why does paypal have your SSN ??? I use it in Canada and they sure don't have my SIN (SSN equivalent in Canada). 

It's required now to pull money from most money transfer services now due to the rule around taxes and $600 sales 

Link to comment
Share on other sites

Link to post
Share on other sites

Sorry, but anybody still using the same credentials for multiple sites, especially financial or otherwise critical ones, deserves to have their accounts breached, and they certainly don't deserve free credit monitoring (I'm not even really sure what the point of offering this is, since there's a bunch of free services for this already) at the cost of PayPal. I hate PayPal, but it's not exactly their fault people are still doing this crap after years of being told not to. And ~35k?! That's just ridiculous there are that many people still doing this, especially since the number is very likely higher since they caught and stopped this while it was happening. I not only use a different password on every site, but a different email as well. As much as I hate to say it, it looks like PayPal did everything right here.

Link to comment
Share on other sites

Link to post
Share on other sites

9 hours ago, Mark Kaine said:

Impacted users will receive a free-of-charge two-year identity monitoring service from Equifax.

I'm actually surprised that companies offer this for compromised accounts when it's not really Paypal's fault for someone reusing a password.  I personally never would consider reusing a password that deals with money with any other service....but if I didn't unless they were allowing like massive password guesses I wouldn't really blame them for a credential stuffing attack.

 

Then again, it would be nice to see using IP addresses to flag more suspicious activities to prevent a login (but at the same time having traveled across country and being locked out of my accounts because I had left my personal cell at home...I sort of understand why they don't necessarily do that)

 

 

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, leadeater said:

Do not allow SSN without MFA? 🤷‍♂️

It's PayPal. They just want their cut and then be done with you. They probably figured mandatory MFA gets in the way of user efficiency.

Link to comment
Share on other sites

Link to post
Share on other sites

13 hours ago, vertigo220 said:

Sorry, but anybody still using the same credentials for multiple sites, especially financial or otherwise critical ones, deserves to have their accounts breached, and they certainly don't deserve free credit monitoring (I'm not even really sure what the point of offering this is, since there's a bunch of free services for this already) at the cost of PayPal. I hate PayPal, but it's not exactly their fault people are still doing this crap after years of being told not to. And ~35k?! That's just ridiculous there are that many people still doing this, especially since the number is very likely higher since they caught and stopped this while it was happening. I not only use a different password on every site, but a different email as well. As much as I hate to say it, it looks like PayPal did everything right here.

I find this very lacking in understanding. You assume these individuals are aware of using passwords on multiple accounts are bad because you have heard this repeatedly but you have no idea if they have. Often times the people who get scammed or caught up in these types of things are dont have knowledge about these things like the elderly or others who haven't had the opportunity to get proper education on these things. 

Link to comment
Share on other sites

Link to post
Share on other sites

14 hours ago, vertigo220 said:

I hate PayPal, but it's not exactly their fault

To be fair Paypal is partially responsible, they should have enforced 2FA like everyone else in the financial industry.....

Link to comment
Share on other sites

Link to post
Share on other sites

48 minutes ago, Brooksie359 said:

I find this very lacking in understanding. You assume these individuals are aware of using passwords on multiple accounts are bad because you have heard this repeatedly but you have no idea if they have. Often times the people who get scammed or caught up in these types of things are dont have knowledge about these things like the elderly or others who haven't had the opportunity to get proper education on these things. 

This information has been all over the place for yearsif not decades. You'd have to be living under a rock to not know it by now. And certainly the types of people that have somehow completely missed this and that are the type to get scammed are not usually going to be using PayPal. I realize there are going to be some, but 35k (especially considering that's only the ones affected before PayPal pulled the plug) seems like an awful lot. And regardless of any of that, I fail to see how it is in any way PayPal's fault or responsibility. I realize they're probably doing what they're doing not because they're being held or feel responsible, but as a PR thing, but it's sad they should even feel the need to simply because people are still following terrible practices. At what point in time and at what level of ignorance can we finally draw a line and say people should be responsible for their own failings? After all, ignorance of the law is no excuse. If somebody really knows so little about computers and internet security, maybe they shouldn't be creating online financial accounts without, oh I don't know, maybe seeking help and advice from someone that does. And by the way, literally anyone and everyone who has a PayPal account has had the opportunity to be properly educated on this. If they have a PayPal account, that means they have internet access, which means they can take literally five minutes or less to do a search on proper password usage and/or how to keep online accounts secure.

 

Part of the problem, and I know this from trying to talk to people about passwords and online security and privacy, is that many people just can't be bothered with it. It's just not something a lot of people really take seriously, even when you try to educate them on it. They'd rather just rely on companies to keep them secure and not think about it. I actually used to want to teach a class at the local library or something, to help educate people so they wouldn't do stuff like this, but after seeing how little people cared and how ungrateful people are in general I just couldn't care about them anymore and couldn't be bothered to do it. I realized I can't keep caring more about others than they do about themselves. And so when I see people having to deal with the repercussions of their ignorance and laziness and apathy, yeah, I don't really feel much sympathy for them as a whole. And again, this all applies to other areas as well. For example, I've simply completely quit trying to explain to overweight (and other) people the issues with drinking diet soft drinks. And just because they apparently can't be bothered to spend a few minutes on Google doing their own research, does that mean we should allow their ignorance to shield them from responsibility for what they're doing to themselves? We live in the age of information; there's no excuse for ignorance on such basic things anymore.

 

Just now, jagdtigger said:

To be fair Paypal is partially responsible, they should have enforced 2FA like everyone else in the financial industry.....

They can't "enforce" it, though. They offer it, and it's up to users to activate it. PayPal can't make them do that. They should make it more prominent and make a bigger effort to get people to use it, but that's all they can do. And I'd argue that, to @Brooksie359's point, most people that would know enough to set up and use 2FA would probably also know not to reuse passwords, and inversely most people reusing passwords probably aren't concerned enough about security to bother with 2FA, though that's of course just conjecture. But the point is, I question how many of these accounts would have been protected by 2FA even if PayPal was more aggressive in pushing it.

 

On another note, regarding PayPal's 2FA, unlike many others, they don't provide backup recovery codes, so for those using it with an authenticator app (which you should be either doing that or a hardware key, NOT SMS), if you didn't do it when setting it up, you may want to remove and re-add it and save the seed in case you lose access to your authentication app.

Link to comment
Share on other sites

Link to post
Share on other sites

15 minutes ago, jagdtigger said:

To be fair Paypal is partially responsible, they should have enforced 2FA like everyone else in the financial industry.....

The issue with 2FA is that it can create a really big problem if you no longer have access to the number (or wish to have multiple accounts).  There are people as well who don't really have cell phones, but still utilize the internet (and tech savvy enough to use paypal) [They don't use a cell phone as they have no need for one].

 

You can also have business accounts, where if you need more than one person accessing it it can create an issue and you have 2FA it can create an issue.  There is also the issue that sometimes I have my brother use my paypal account to make purchases when I'm not around.

 

Oh, let's also not forget 2FA costs money to keep going (while not totally a trustworthy source, Twitter was apparently spending $60 on 2FA services)

 

2FA should be encouraged, and even prompted but I still like it as a non-mandatory idea.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

9 minutes ago, wanderingfool2 said:

The issue with 2FA is that it can create a really big problem if you no longer have access to the number (or wish to have multiple accounts).  There are people as well who don't really have cell phones, but still utilize the internet (and tech savvy enough to use paypal) [They don't use a cell phone as they have no need for one].

 

You can also have business accounts, where if you need more than one person accessing it it can create an issue and you have 2FA it can create an issue.  There is also the issue that sometimes I have my brother use my paypal account to make purchases when I'm not around.

 

Oh, let's also not forget 2FA costs money to keep going (while not totally a trustworthy source, Twitter was apparently spending $60 on 2FA services)

 

2FA should be encouraged, and even prompted but I still like it as a non-mandatory idea.

2FA can be implemented as an email with a one time pass code. You have to have an email account to have PayPal and while both accounts could be compromised and even use the same password it's still better to require 2FA even with this method than to not.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, wanderingfool2 said:

The issue with 2FA is that it can create a really big problem if you no longer have access to the number (or wish to have multiple accounts).  There are people as well who don't really have cell phones, but still utilize the internet (and tech savvy enough to use paypal) [They don't use a cell phone as they have no need for one].

 

You can also have business accounts, where if you need more than one person accessing it it can create an issue and you have 2FA it can create an issue.  There is also the issue that sometimes I have my brother use my paypal account to make purchases when I'm not around.

 

2FA should be encouraged, and even prompted but I still like it as a non-mandatory idea.

I agree 2FA can't be required, and said as much in my reply right before yours, but there are some issues with your reasoning. If you have a device to access the internet on, unless it's a public computer and you can't plug a flash drive in (and even then there are online options), then you have a device on which you can run an authenticator app. And you can share it by simply adding your relative's/friend's/business partner's device(s) to the account. Unfortunately, many 2FA setups won't allow the use of a Google Voice number for SMS verification, otherwise that would provide that method to those without a phone. While it wouldn't be ideal, it would be better than nothing. But if you trust your brother, just add his device to your account or, another possible option so you don't have to share all account tokens, is to simply provide him (in a secure manner) the seed, so he can set it up on his authenticator as well. Note, though, that I'm not sure if this will work.

Link to comment
Share on other sites

Link to post
Share on other sites

18 minutes ago, vertigo220 said:

They can't "enforce" it, though. They offer it, and it's up to users to activate it. PayPal can't make them do that. They should make it more prominent and make a bigger effort to get people to use it, but that's all they can do

Of course they can make them do it. There are a lot of things that are required and 2FA can be one of them. PayPal can even be forced to required it, if 2FA ever comes in as required for parts of PCI DSS then PayPal has literally zero choice in the matter and thus would have to do it no objections allowed.

 

18 minutes ago, vertigo220 said:

But the point is, I question how many of these accounts would have been protected by 2FA even if PayPal was more aggressive in pushing it.

Literally all of them if using a proper Authenticator app.

Link to comment
Share on other sites

Link to post
Share on other sites

22 minutes ago, wanderingfool2 said:

The issue with 2FA is that it can create a really big problem if you no longer have access to the number (or wish to have multiple accounts).  There are people as well who don't really have cell phones, but still utilize the internet (and tech savvy enough to use paypal) [They don't use a cell phone as they have no need for one].

 

You can also have business accounts, where if you need more than one person accessing it it can create an issue and you have 2FA it can create an issue.  There is also the issue that sometimes I have my brother use my paypal account to make purchases when I'm not around.

 

Oh, let's also not forget 2FA costs money to keep going (while not totally a trustworthy source, Twitter was apparently spending $60 on 2FA services)

 

2FA should be encouraged, and even prompted but I still like it as a non-mandatory idea.

Excuses, excuses....  :old-eyeroll: For one finding someone without a cell phone is pretty much mission impossible. Secondly sharing an account with someone is just asking for trouble and a red flag on any audit. Thirdly, the cost of implementing 2FA is way less than dealing with the sh!tstorm caused by a breach.

 

 

24 minutes ago, vertigo220 said:

They can't "enforce" it, though.

There is a very huge difference between cant and wont. In this case the correct word is wont. (Paypal certainly can enforce it but they choose not to for some retarded reason.)

Link to comment
Share on other sites

Link to post
Share on other sites

7 minutes ago, leadeater said:

Of course they can make them do it. There are a lot of things that are required and 2FA can be one of them. PayPal can even be forced to required it, if 2FA ever comes in as required for parts of PCI DSS then PayPal has literally zero choice in the matter and thus would have to do it no objections allowed.

Yes, they can require users to enable 2FA, but they can't in the sense that not everyone can or will want to. I guess I should have said they can't feasibly do it.

 

7 minutes ago, leadeater said:

Literally all of them if using a proper Authenticator app.

 

That wasn't my point. Yes, apps using 2FA would be protected. I was saying that even if PayPal encouraged the use of 2FA, the types of people that are reusing passwords are also the type that will still not enable it, and so 2FA wouldn't protect them because they wouldn't be using it.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, jagdtigger said:

Excuses, excuses....  :old-eyeroll: For one finding someone without a cell phone is pretty much mission impossible. Secondly sharing an account with someone is just asking for trouble and a red flag on any audit. Thirdly, the cost of implementing 2FA is way less than dealing with the sh!tstorm caused by a breach.

People share accounts all the time. Typically married couples, but there's no reason why account can't be shared between trusted family members or even friends, and it is often done for various reasons. As for the cost of using 2FA vs dealing with a breach, true, which really begs the question why so many banks are still using SMS as the only option. Maybe because they're simply relying on FDIC protection and passing the buck?

 

1 minute ago, jagdtigger said:

There is a very huge difference between cant and wont. In this case the correct word is wont.

See my response to leadeater directly above.

Link to comment
Share on other sites

Link to post
Share on other sites

23 minutes ago, leadeater said:

2FA can be implemented as an email with a one time pass code. You have to have an email account to have PayPal and while both accounts could be compromised and even use the same password it's still better to require 2FA even with this method than to not.

It can be implemented like that, but a large set of applications I've used don't use it like that.  Including PayPal which doesn't offer that, all of PayPal's method requires either a device or phone.  I still stand by what I said, it should be prompted and encouraged but I don't feel it should be made mandatory.

 

19 minutes ago, leadeater said:

PayPal can even be forced to required it, if 2FA ever comes in as required for parts of PCI DSS then PayPal has literally zero choice in the matter and thus would have to do it no objections allowed.

I'm genuinely curious, do you know if that's discussed as potentially being in the pipe-line?  I haven't actually followed PCI DSS for years now (thankfully I only have to deal with it at an arms length now), does seem like something they would require though.  (I remember delaying the SSL/early TLS for as long as possible before switching it off on the site...then receiving the complaints from some customers who couldn't access it anymore)

 

11 minutes ago, jagdtigger said:

Excuses, excuses....  :old-eyeroll: For one finding someone without a cell phone is pretty much mission impossible. Secondly sharing an account with someone is just asking for trouble and a red flag on any audit. Thirdly, the cost of implementing 2FA is way less than dealing with the sh!tstorm caused by a breach.

I know of at least 4 people who do not have a cell phone, I know multiple people who do not get reliable enough cell service that would be able to use 2FA with a cell phone reliably at their house (although this is specifically on the ones where it's a cell # 2FA), and I do know multiple people who end up with a revolving carousel of phone numbers.

 

*edit* Oh and then there was the time that the 2FA service went down when I needed to access my account.  That was a fun time, or the time that my cell service went down for the day (Rogers/Fido anyone?), that was a fun time.  Then there was the time that SMS messages were occasionally getting received hours later, or dealing with a stolen cell phone where you now have to wait until you get a new cell.

 

Sharing an account with someone you implicitly trust isn't too bad, there are tons of couples who have shared bank accounts. 

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

16 minutes ago, wanderingfool2 said:

I'm genuinely curious, do you know if that's discussed as potentially being in the pipe-line?  I haven't actually followed PCI DSS for years now (thankfully I only have to deal with it at an arms length now), does seem like something they would require though.  (I remember delaying the SSL/early TLS for as long as possible before switching it off on the site...then receiving the complaints from some customers who couldn't access it anymore)

Probably but I doubt it would be required for merchant accounts and only system administrator accounts etc i.e. not affected accounts as part of this news story. I like to ignore PCI DSS as much as I can, it's someone else's problem and I'll do what they tell me is required.

Link to comment
Share on other sites

Link to post
Share on other sites

36 minutes ago, vertigo220 said:

That wasn't my point. Yes, apps using 2FA would be protected. I was saying that even if PayPal encouraged the use of 2FA, the types of people that are reusing passwords are also the type that will still not enable it, and so 2FA wouldn't protect them because they wouldn't be using it.

That's still not a counter point to 2FA being required and neither is "PayPal does it this way". 2FA options can be added, if PayPal is going to require 2FA or be required to enforce it through regulations then they will do it in the most feasible way for the users of their system that is complaint.

 

Just because something is done some way now doesn't mean it must be done that way forever.

 

Edit:

Additionally this would only be required for "merchants" aka cost of business. If you want to accept and process payments and if a 2FA device becomes a requirement then that is a business cost so get on it or don't accept payments through affected system that requires it. If you want to accept card payments in your store then you need something to do that, that something costs money and will also have a support contract with the provider of it.

 

When sensitive information is involved it is not and never is too much to ask for security measures like 2FA,

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×