PayPal Credential Stuffing Attack Could Lead to Future Phishing Attacks; What All Users Should Do

• Identity criminals never stop working. They may use one attack as a catalyst for another. That could be the case with a recent PayPal data breach.
• The Office of the Maine Attorney General reports that nearly 35,000 PayPal accounts were accessed via a credential stuffing cyberattack, exposing names, addresses, Social Security numbers, tax identification numbers and dates of birth.
• Even if PayPal users did not get a notice, they should be aware. Criminals could use the credential stuffing attack to strike with phishing attacks.
• All PayPal users should ignore any messages they receive that they are not expecting. Instead, they should reach out directly to PayPal to verify the validity of the message.
• PayPal users should also change their passwords, use a 12+ character unique passphrase, and enable multi-factor authentication with an app, if possible.
• To learn more about the PayPal data breach, how to protect yourself, or if you believe you were impacted by the credential stuffing attack, call the Identity Theft Resource Center toll-free by phone (888.400.5530) or live-cat on the company website idtheftcenter.org.

Identity criminals never stop working. They often use one identity crime or data incident to their advantage to attack people in another way. A recent PayPal data breach may be no different. All PayPal users should take the proper steps to ensure they and their accounts are safe after a credential stuffing cyberattack impacted nearly 35,000 people. The incident could lead to future phishing attacks.

What Happened

According to the Office of the Maine Attorney General and Cybersecurity Dive, almost 35,000 PayPal accounts were accessed via a credential stuffing attack, a type of cyberattack where identity criminals use stolen logins and passwords to gain access to networks or databases. The PayPal attack exposed personal information, including names, addresses, Social Security numbers, tax identification numbers and dates of birth. PayPal sent notices of the credential stuffing attack to impacted customers. They emphasized that the company has no evidence that personal information was misused due to the incident.

Identity Thieves Could Use PayPal Incident to Launch Phishing Attacks

PayPal users that did not get a notice should still be on high alert. Identity criminals could use the PayPal data breach and credential stuffing attack to deploy an array of phishing attacks to steal user data like login credentials and credit card or bank account information.

What All PayPal Users Should Do

• Watch out for phishing attacks. If you receive a text, email, or message from PayPal you are not expecting, do not respond or click on any links. Instead, reach out to PayPal directly to verify the validity of the message.
• Change your password. Using the same password on multiple accounts is not a best practice. Changing your password will make it more difficult for a criminal to access your account. Even if you have a unique password for each account and did not receive a notice about the PayPal credential stuffing attack, it is a good idea to change your password to be safe.
• Use a unique passphrase on your account. It is recommended to have 12+ character unique passphrases on all your accounts. It is one of the best ways to protect your personal information. Unique passphrases 12+ characters long are easier to remember and harder for identity criminals to crack.
• Enable multi-factor authentication (MFA) with a mobile app, if possible. MFA provides an added layer of security on your account. Using it with an app is best because SMS messages can be spoofed.*
• Freeze your credit. A credit freeze is the best way to prevent new accounts from being opened in your name. For more information on how to freeze your credit, read our fact sheet here.

Contact the ITRC

If you have additional questions about the PayPal data breach, think you were impacted by the credential stuffing attack, or believe you were a victim of an identity crime, contact us. You can speak with an Identity Theft Resource Center expert advisor toll-free by phone (888.400.5530) or live-chat on the company website. Just visit www.idtheftcenter.org to get started. 

*MFA stands for Multi-Factor Authentication. It is an extra layer of security used to protect your online accounts. It requires you to provide two or more pieces of evidence (or “factors”) to verify your identity. This could include something you know (like a password or PIN), something you have (like a phone or security token), or something you are (like a fingerprint or facial recognition). MFA helps protect your accounts from unauthorized access by making it harder for attackers to gain access.

Most websites and accounts use MFA with a code that’s sent to you by text or email, but that is not the most secure form of MFA. MFA that uses a separate authentication mobile application to generate the login code is the most secure. Authentication apps are available from Google, Microsoft, and other mainstream software developers. Only download apps from a reputable app store like the ones from Apple, Google, Microsoft, or Samsung. Never download software directly from a product website because the app and website may be fake or contain harmful software.