Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


PayPal Accounts Breached in Credential Stuffing Attack

Between December 6th and December 8th, 2022, PayPal reports that they experienced a large-scale credential stuffing attack targeting their users. The attackers successfully breached 34,942 accounts before this attack was detected and mitigated by PayPal – rotating the account credentials of affected users and notifying them via email of the breach. PayPal also offered affected users a free two-year identity monitoring service from Equifax. While the attackers had full access to the accounts during the two-day period, there were no attempts made at performing any actions on the accounts. PayPal indicated that their systems were not breached in any way and that the credentials were not obtained directly from them.

Analyst Notes

Credential stuffing attacks are a technique of using lists of credentials from past data breaches against a new site, with the goal of finding an account that reuses those compromised credentials across multiple sites. From and organizational standpoint, the best action to take against credential stuffing attacks is to educate end users on this form of attack and advise them of the dangers of using an identical password across multiple sites. In many cases, however, this alone is not enough to sway a user from using an identical password, but there are also additional prevention and detection steps that an organization can take. For example, an organization can implement strong password policies – one that sets character, symbol, and number minimums – as well as ensuring that passwords are set to rotate frequently. Additionally, an organization could also employ detection rules to look out for credential stuffing attacks. Some possible detection opportunities are:

• Monitoring for a large number of failed authentications in a short time frame
• Monitoring for a large number of successful authentications from the same IP
• Monitoring for successful authentications from a suspicious location
• Monitoring for successful authentications at unusual times