PayPal Faces Lawsuit over December Data Breach Involving 35,000 Customers

PayPal, a leading payment processing platform, disclosed on December 20, 2022, that it had experienced a data breach that had taken place earlier that month. Based on PayPal’s own internal investigation, unauthorized parties had gained access to customer accounts over a 48-hour period that began on December 6. The attackers used a credential stuffing attack to gain access to the accounts of nearly 35,000 users. PayPal states that none of the compromised credentials in the credential stuffing attack were obtained from its own internal systems. It’s IT team was able to stop the attack on December 8 and immediately began resetting the passwords of all affected accounts thereafter. The company then set about contacting affected customers on January 18, informing them that their name, address, Social Security number, individual tax identification number and birth date could have been exposed. There is no evidence at this time that the compromised data has been misused.

Two PayPal customers filed a complaint on March 2, 2023, in the Northern District of California alleging that PayPal knew or should have known that its computer systems and data security practices were inadequate to safeguard the Private Information of its customers. The plaintiffs allege that PayPal failed to implement basic security practices, violated multiple state consumer protection laws, and failed to implement basic security practices of the NIST Cybersecurity Framework and Federal Trade Commission guidelines. As a result, the defendant was unable to perform its duty of care and secure the hosted data. The plaintiffs go on to claim that they and the other class members of the suit continue to be at significant risk of identity theft. They are seeking an unspecified amount of monetary damages, reimbursement for the expended time dealing with the breach, and lifetime credit monitoring and identity theft insurance.

A credential stuffing attack is when an attacker attempts to access an account using username/password combinations sourced from data leaks on third-party websites. This is possible because many people not only the same email address for their username, but the same password as well. Attackers either seize these paired credentials in a data breach or purchase them on the dark web. They then try these stolen credential combinations on popular websites using automated bots. This is why multifactor authentication (MFA) is so important today. Had MFA been enforced on all users, PayPal would have at the least prevented the attack on a wide scale. Multifactor authentication has several benefits:

• It adds an extra layer of security to your online accounts by requiring two or more factors of authentication to verify one’s identity.
• It protects against password-based attacks such as credential stuffing, dictionary attacks and brute force attacks. Even if an attacker has the full credentials of a user, they still need the additional factor.
• It satisfies a growing number of industry compliance regulations that are now requiring multifactor authentication.

While SMS remains the most popular form of MFA, it is also the least secure as experienced hackers have developed ways to access these codes. One alternative is a FIDO key (Fast IDentity Online). A FIDO key is a small physical device that plugs into a USB port on your computing device that is used to generate a unique, encrypted digital signature for each login attempt. The signature is verified by the online service provider. One unique requirement of FIDO keys is that the user is required to touch them with their finger during the verification process. This makes the authentication process resistant to remote attacks and phishing attempts. As a result, a user cannot log on to their account without possession of the physical FIDO key. Those who have a Google account can see this in action as Google supports FIDO keys for both its employees and users. Since enforcing the use of FIDO keys for its 85,000+ employees, Google has reported eliminating credential stuffing attacks through the use of FIDO keys. Those who use Microsoft Intune or Azure can require a FIDO key and a PIN for even greater protection. As credential stuffing attacks grow more prevalent, the necessity for MFA will grow even more. Contact HALOCK Security Labs to learn more about MFA and other security controls to combat credential stuffing attacks. HALOCK can also conduct a risk assessment to identify and evaluate the potential risks and vulnerabilities that threaten your organization.