PayPal accounts breached in credential stuffing attack (35k affected)

[vertigo220]

9 minutes ago, leadeater said:

That's still not a counter point to 2FA being required and neither is "PayPal does it this way". 2FA options can be added, if PayPal is going to require 2FA or be required to enforce it through regulations then they will do it in the most feasible way for the users of their system that is complaint.

 

Just because something is done some way now doesn't mean it must be done that way forever.

 

Edit:

Additionally this would only be required for "merchants" aka cost of business. If you want to accept and process payments and if a 2FA device becomes a requirement then that is a business cost so get on it or don't accept payments through affected system that requires it. If you want to accept card payments in your store then you need something to do that, that something costs money and will also have a support contract with the provider of it.

 

When sensitive information is involved it is not and never is too much to ask for security measures like 2FA,

You're (unintentionally, I hope) conflating my two points, though. 2FA being required and 2FA not helping if people aren't using it are two separate things. Currently, PayPal doesn't require it, and so not everyone uses it. Of those reusing passwords, it's very likely that if they're doing that, they're also not using 2FA, since they are either ignorant of good security or just don't care. So my point, again, is that since PayPal doesn't require it, even if they pushed it more aggressively, many of these people affected by this attack likely wouldn't have been protected, because they likely wouldn't have enabled 2FA.

 

2FA being required is a totally separate issue. Yes, had it been required, then it would have protected these people. But my point and wanderingfools's is that that while it can technically and legally be required, it can't feasibly be done, as doing so would cause issues for a portion of the userbase. IMO, it's enough to simply offer it and encourage its use; people that still don't use it only have themselves to blame, and forcing people to do something, even for their own good, is rarely ideal. As I said, though, it seems to me PayPal could, and should, have pushed it more aggressively, and they certainly should start doing so.

[wanderingfool2]

8 minutes ago, leadeater said:

Probably but I doubt it would be required for merchant accounts and only system administrator accounts etc i.e. not affected accounts as part of this news story. I like to ignore PCI DSS as much as I can, it's someone else's problem and I'll do what they tell me is required.

Yea, that's a good idea about ignoring it as much as you can and have someone else deal with it.  It is so annoying, and quite a bit of paperwork as well and depending what type of mood the auditor is in you can have the systems that are part of the scope greatly increased (even if they are effectively walled off completely).

 

I remember having to setup MFA on VPN (being SAQ B-IP, where we effectively used a 3rd party to handle all CC portions of the transactions).  Still since we had access to the DB, and the webserver we were required for MFA that met their standards.  (Don't get me wrong, MFA is a good concept for VPN's and we had it...just our router at the time didn't handle it in the way that was PCI DSS compliant, so it was an expensive fix).

[leadeater]

11 minutes ago, vertigo220 said:

You're (unintentionally, I hope) conflating my two points, though. 2FA being required and 2FA not helping if people aren't using it are two separate things. Currently, PayPal doesn't require it, and so not everyone uses it.

I don't think so since we are discussing it now because of my comment saying it should be required. The suggestion, response and answer to the issue is required 2FA.

 

People not currently using it is a non-factor to making 2FA required, they would have to use it therefore would be using it.

 

Trying to separate them out like you are is needless and actually outside of the point. Usage of 2FA is not a factor or argument against, for or about 2FA being required. There are complexities in making it required and that is why PayPal doesn't do it, that is not why it is not feasible, it totally is.

[Brooksie359]

1 hour ago, vertigo220 said:

This information has been all over the place for years, if not decades. You'd have to be living under a rock to not know it by now. And certainly the types of people that have somehow completely missed this and that are the type to get scammed are not usually going to be using PayPal. I realize there are going to be some, but 35k (especially considering that's only the ones affected before PayPal pulled the plug) seems like an awful lot. And regardless of any of that, I fail to see how it is in any way PayPal's fault or responsibility. I realize they're probably doing what they're doing not because they're being held or feel responsible, but as a PR thing, but it's sad they should even feel the need to simply because people are still following terrible practices. At what point in time and at what level of ignorance can we finally draw a line and say people should be responsible for their own failings? After all, ignorance of the law is no excuse. If somebody really knows so little about computers and internet security, maybe they shouldn't be creating online financial accounts without, oh I don't know, maybe seeking help and advice from someone that does. And by the way, literally anyone and everyone who has a PayPal account has had the opportunity to be properly educated on this. If they have a PayPal account, that means they have internet access, which means they can take literally five minutes or less to do a search on proper password usage and/or how to keep online accounts secure.

 

Part of the problem, and I know this from trying to talk to people about passwords and online security and privacy, is that many people just can't be bothered with it. It's just not something a lot of people really take seriously, even when you try to educate them on it. They'd rather just rely on companies to keep them secure and not think about it. I actually used to want to teach a class at the local library or something, to help educate people so they wouldn't do stuff like this, but after seeing how little people cared and how ungrateful people are in general I just couldn't care about them anymore and couldn't be bothered to do it. I realized I can't keep caring more about others than they do about themselves. And so when I see people having to deal with the repercussions of their ignorance and laziness and apathy, yeah, I don't really feel much sympathy for them as a whole. And again, this all applies to other areas as well. For example, I've simply completely quit trying to explain to overweight (and other) people the issues with drinking diet soft drinks. And just because they apparently can't be bothered to spend a few minutes on Google doing their own research, does that mean we should allow their ignorance to shield them from responsibility for what they're doing to themselves? We live in the age of information; there's no excuse for ignorance on such basic things anymore.

 

They can't "enforce" it, though. They offer it, and it's up to users to activate it. PayPal can't make them do that. They should make it more prominent and make a bigger effort to get people to use it, but that's all they can do. And I'd argue that, to @Brooksie359's point, most people that would know enough to set up and use 2FA would probably also know not to reuse passwords, and inversely most people reusing passwords probably aren't concerned enough about security to bother with 2FA, though that's of course just conjecture. But the point is, I question how many of these accounts would have been protected by 2FA even if PayPal was more aggressive in pushing it.

 

On another note, regarding PayPal's 2FA, unlike many others, they don't provide backup recovery codes, so for those using it with an authenticator app (which you should be either doing that or a hardware key, NOT SMS), if you didn't do it when setting it up, you may want to remove and re-add it and save the seed in case you lose access to your authentication app.

It seems to me you are overestimating the average intelligence of people especially in areas which have poor education. The fact that you would assume people would even know to search how to make a password secure when making a password seems like a big assumption. I would bet people would think that so long as they follow the password requirement of the website they should be good. It probably never even occurred to them that they should be looking up best practices of password making. I think you do not understand the average person as there are alot of people out there who are not tech savvy especially the older generations. I know I am smart when it comes to tech but I am aware that I probably do stuff that others would also deem stupid and common sense because of the knowledge they have that I don't. We all have our blind spots and to assume that everyone knows everything is kinda crazy. I mean I find it funny when cities in Southern states shut down when there is a half inch of snow because nobody knows how to drive in the snow and they don't have the infrastructure to plow all of the snow easily. That doesn't make people in Southern states stupid. 

[vertigo220]

8 minutes ago, leadeater said:

I don't think so since we are discussing it now because of my comment saying it should be required. The suggestion, response and answer to the issue is required 2FA.

 

People not currently using it is a non-factor to making 2FA required, they would have to use it therefore would be using it.

 

Trying to separate them out like you are is needless and actually outside of the point. Usage of 2FA is not a factor or argument against, for or about 2FA being required. There are complexities in making it required and that is why PayPal doesn't do it, that is not why it is not feasible, it totally is.

No, we are discussing it because I made two separate points way back toward the beginning of the conversation about requiring it, in fact before your comment saying it should be required, which when I made them I was discussing them separately. Just because you somehow missed that and since then chose to combine them, creating something entirely separate from what I said, doesn't make my original point any less applicable. I'm not trying to separate them out; you're trying to combine them, so in fact what you're doing is needless. Perhaps you should actually read my original comment about it, this time taking the time to understand what I was saying, instead of just jumping in with your own spin on things and then saying that because you started discussing making it required after I mentioned that without it being required it won't protect people that don't use it, my point is somehow needless. I'm not going to continue going back and forth on this when you clearly didn't read and understand my original post or any of the posts I've made after trying to clarify it for you, causing you to continue to think that I'm somehow saying "usage of 2FA is...a factor or argument against, for or about 2FA being required." One has nothing to do with the other in my original comment on the matter which, again, was made before yours which you're using to muddy the waters.

[Mark Kaine]

Re: 2FA, i imagine this has been going like this: "hackers" guessed / bought / social engineered passwords of random google accounts,  checked which have interesting secondary accounts,  like PayPal and *then* went on to see which of those reused passwords... pretty simple actually,  and in that case using 2FA wouldn't have necessarily protected these accounts because they probably also had their recovery emails compromised.  more difficult with a phone number obviously,  but again, the "hackers" had the choice here to go for "easy wins".

 

Could be all wrong of course,  but thats how i imagine this likely played out anyways. 

 

 

[vertigo220]

2 minutes ago, Brooksie359 said:

It seems to me you are overestimating the average intelligence of people especially in areas which have poor education. The fact that you would assume people would even know to search how to make a password secure when making a password seems like a big assumption. I would bet people would think that so long as they follow the password requirement of the website they should be good. It probably never even occurred to them that they should be looking up best practices of password making. I think you do not understand the average person as there are alot of people out there who are not tech savvy especially the older generations. I know I am smart when it comes to tech but I am aware that I probably do stuff that others would also deem stupid and common sense because of the knowledge they have that I don't. We all have our blind spots and to assume that everyone knows everything is kinda crazy. I mean I find it funny when cities in Southern states shut down when there is a half inch of snow because nobody knows how to drive in the snow and they don't have the infrastructure to plow all of the snow easily. That doesn't make people in Southern states stupid. 

It doesn't make them stupid (though some definitely are, and I could tell some stories), it just makes them inexperienced and ill-equipped (I've lived in the South and the North, btw). People with internet access aren't ill-equipped (they have access to the internet), and while they may be inexperienced, my point is that they have the means at their fingertips, quite literally, to gain experience and knowledge. And if they're using a site like PayPal, they should have at least the basic knowledge to do so. I recognize there are some people out there that genuinely fall into the category you're referring to, and for that small fraction of people I get it. But I suspect a good portion of that 35k (and again, likely much larger number of) people did this more out of ignorance and lack of caring than true inability to grasp what they're doing. And I just find it hard anymore to feel sorry for people as a whole, despite there being some part of that whole that genuinely couldn't help themselves, when so many people just don't try or care. And I admit, I'm jaded, but it's hard not to be anymore.

[leadeater]

20 minutes ago, vertigo220 said:

in fact before your comment saying it should be required, which when I made them I was discussing them separately.

You mean the post 2 up from mine which does not say or mention anywhere about 2FA? That post?

 

I think you may be misremembering who brought up MFA/2FA first because it was certainly myself.

 

20 minutes ago, vertigo220 said:

No, we are discussing it because I made two separate points way back toward the beginning of the conversation about requiring it

I know you made your points and my response is exactly the same as per my last post. People not using it doesn't affect making it required. How PayPal does it now doesn't affect PayPal making it required.

 

If PayPal is going to make it required they will do it in the most feasible way, that is rather obvious. Systems get implemented to meet certain objectives and requirements, those would and are different between an optional feature and a required feature.

 

20 minutes ago, vertigo220 said:

Perhaps you should actually read my original comment about it, this time taking the time to understand what I was saying, instead of just jumping in with your own spin on things and then saying that because you started discussing making it required after I mentioned that without it being required it won't protect people that don't use it, my point is somehow needless.

I have and I understood it. I doesn't in any what change anything about what I said or will say on the matter. 

 

PayPal can make it required and they can do it in a way that will work for all. They can offer more 2FA options and any usage of 2FA is better than none, even with the flaws with certain 2FA types. PayPal over time can then start to remove those less secure 2FA options as people get use to using 2FA.

 

There are a lot of things that can be done but they all have a cost and that is why PayPal doesn't do it, not because people can't or don't know how to use 2FA. Part of the cost is in user support which can be provided to successfully get those who are required to use 2FA successfully doing so. I can say this because we have users ranging from IT engineers down to gardeners, it's our responsibility like it is PayPal's to ensure that our users are able to use 2FA on systems we require it to be used on.

 

I will reiterate my point and the first ever mention of MFA/2FA in this topic, make MFA/2FA required for this.

[vertigo220]

20 minutes ago, Mark Kaine said:

Re: 2FA, i imagine this has been going like this: "hackers" guessed / bought / social engineered passwords of random google accounts,  checked which have interesting secondary accounts,  like PayPal and *then* went on to see which of those reused passwords... pretty simple actually,  and in that case using 2FA wouldn't have necessarily protected these accounts because they probably also had their recovery emails compromised.  more difficult with a phone number obviously,  but again, the "hackers" had the choice here to go for "easy wins".

That's certainly a possible method used, but this sounds more like they were using a list of data gathered in a breach of some random site, where they got a bunch of correlated emails and passwords on a different site and tried them on PayPal**. I see this as being far more likely than having gained access to this many email accounts, so unless these people also used the same password for their email (and it's a good chance many of them did), they wouldn't necessarily have access to those accounts for the 2FA. But that's just one reason why email is probably the worst form of 2FA, though it could be argued SMS could be equally as bad or worse, which is why I always recommend against using either if an authenticator is an option and why I'm constantly frustrated by banks' refusal to implement authenticator-based 2FA.

 

**There's no reason to believe these same credentials were tried in other sites as well, since there are plenty of other valuable ones out there besides PayPal. I suspect we'll find in the coming weeks/months it happened, and is continuing to happen, on various other sites, and PayPal was simply the first to catch and report it.

[leadeater]

38 minutes ago, Mark Kaine said:

Re: 2FA, i imagine this has been going like this: "hackers" guessed / bought / social engineered passwords of random google accounts,  checked which have interesting secondary accounts,  like PayPal and *then* went on to see which of those reused passwords... pretty simple actually,  and in that case using 2FA wouldn't have necessarily protected these accounts because they probably also had their recovery emails compromised.  more difficult with a phone number obviously,  but again, the "hackers" had the choice here to go for "easy wins".

 

Could be all wrong of course,  but thats how i imagine this likely played out anyways. 

I have a suspicion this is related to the Norton LifeLock situation and comes from the same source of accounts/emails and passwords. Multiple instances of account breaches using the same method all within a small time window, if I were betting then I'd be betting on them all being related.

[jagdtigger]

14 hours ago, wanderingfool2 said:

I know of at least 4 people who do not have a cell phone,

yubikey........ As i said, excuses......

  

14 hours ago, vertigo220 said:

People share accounts all the time.

Everyone jumps into the well you jump after them?

[wanderingfool2]

6 hours ago, jagdtigger said:

yubikey........ As i said, excuses......

And you are just trying to look for a justification of your point.  Read what I said, "requires either a device or phone".  If you are going to be so concerned about the pedantic of excuses, then why not just go the one step further and require all paypal accounts to activate the webcam and use facial recognition with a rnadom voice to have it as MFA.  Lot safer than 2FA using a phone or yubikey.

[Beerzerker]

On 1/23/2023 at 2:32 PM, leadeater said:

I have a suspicion this is related to the Norton LifeLock situation and comes from the same source of accounts/emails and passwords. Multiple instances of account breaches using the same method all within a small time window, if I were betting then I'd be betting on them all being related.

So do I, it's probrably after that data was harvested they just reused it to see how many accounts they could get into at PayPal.

With 35K hits, IF this was the source of their info to try it, says alot about some that just don't understand about security. That's alot of hits and $$ taken, I can promise you with this there's more to come from other attack angles and we'll probrably see these additional attacks/hacks take place before long.

Good thing I've closed my PP account already and never had any of my bank accounts "Tied" to it.
The one that I used to pay out from and take in payments with was closed to make sure that loose end was tied up right before I closed the PP account.

They tried to tell me I had to associate an account from my bank (Via routing number) to it for deposits and payments....
That never happened of course and damned glad I never allowed that to happen.

[jagdtigger]

2 hours ago, wanderingfool2 said:

And you are just trying to look for a justification of your point.

Says the one who are hell-bent on finding an excuse why ppl shouldnt use 2fa. Let me make it easy for you, there is no excuse for not using it. TBH all these ppl who didnt used it and got boned because of it shouldnt get any compensation because the breach happened because of their negligence.

[wanderingfool2]

4 minutes ago, jagdtigger said:

Says the one who are hell-bent on finding an excuse why ppl shouldnt use 2fa. Let me make it easy for you, there is no excuse for not using it. TBH all these ppl who didnt used it and got boned because of it shouldnt get any compensation because the breach happened because of their negligence.

If you ever have a cell outage that removes your ability to access funds that you need, then you have no reason to complain.  You are conflating me saying it shouldn't be mandatory vs it shouldn't be used.  There are reasons why one might not want 2FA on certain things and trying to claim that someone should pony over $20 for the luxury of "security" is just trying to find an excuse.  Like I said, if you are so insistent that people without a cell could then start using YubiKey's then I am telling you that why not implement video feeds with voice processing.

 

Protecting yourself with a strong password that isn't reused would effectively be as effective as having a 2FA (to the extent that Paypal would have to be compromised in order for an attacker to use that, or your computer would need to be compromised)

[Spotty]

8 hours ago, jagdtigger said:

Says the one who are hell-bent on finding an excuse why ppl shouldnt use 2fa. Let me make it easy for you, there is no excuse for not using it.

After hearing about this news it reminded me to log in to my PayPal account and set 2FA. 

When I enabled 2FA it forces me to confirm by making an automated phone call to the home phone number on my account. The phone number is outdated. PayPal does not let you remove a home phone number without adding another home phone number first. It's 2023 and I don't have a home phone number so I can't remove the old phone number on the account and PayPal doesn't offer an option to verify through another method or mobile phone number, meaning I can't enable 2FA. I tried contacting PayPal customer support to see if they could remove the number and 3 times I got "no support agents available" and the chat bot directed me to unrelated FAQ articles.

My excuse is PayPal is making it too damn difficult to enable it.

[vertigo220]

41 minutes ago, Spotty said:

After hearing about this news it reminded me to log in to my PayPal account and set 2FA. 

When I enabled 2FA it forces me to confirm by making an automated phone call to the home phone number on my account. The phone number is outdated. PayPal does not let you remove a home phone number without adding another home phone number first. It's 2023 and I don't have a home phone number so I can't remove the old phone number on the account and PayPal doesn't offer an option to verify through another method or mobile phone number, meaning I can't enable 2FA. I tried contacting PayPal customer support to see if they could remove the number and 3 times I got "no support agents available" and the chat bot directed me to unrelated FAQ articles.

My excuse is PayPal is making it too damn difficult to enable it.

Interesting. I set it earlier as well but didn't have to do any of that. I don't have a home phone number set, though, only mobile, so maybe something to do with that. You can't add a mobile number then remove the home one?

 

It amazes me how difficult so many companies/websites make it to change things. I recently went through and changed my email, or at least tried to, on a bunch of sites/services, and some were much more of a pain than they should be for doing so and some I just couldn't do it, and for those I contacted their various supports (again, often much more difficult than it should be), and out of those, a couple changed it and a few were completely useless. So I've been completely unable to change my email with Discord, Steam, Epic Games, and GitLab. Utter incompetence and useless customer "service" on their end leading to massive frustration on mine. At least the issue with Discord was the final straw I needed to do what I should have done long ago and moved away from them. And Epic Games is so bad I actually disabled 2FA after enabling it because it was such a nightmare, so yeah, there are valid reasons to not use it. I also love how most of them send a verification link to the new email, but many of them don't send anything to the old one notifying of the change. It's really amazing, and disturbing, how lax the security so often is.

[Spotty]

1 minute ago, vertigo220 said:

You can't add a mobile number then remove the home one?

Nope, I already have a mobile number on the account. Paypal treats Mobile and Home phone numbers separately and you can't remove an old home number without setting another home number and assigning the new home number as the "Primary" home number.

 

What's funny though is I just tried enabling 2FA again and it let me add it without confirming at all. ¯\_(ツ)_/¯

[vertigo220]

1 minute ago, Spotty said:

What's funny though is I just tried enabling 2FA again and it let me add it without confirming at all. ¯\_(ツ)_/¯

Sounds about right...