PayPal, the internationally renowned online payment platform, recently began notifying approximately 35,000 users that their private information was exposed during a credential stuffing attack that took place last year.

Many experts are now weighing in, citing the inherent weaknesses of passwords as not only the cause of the breach, but as a prevalent cybersecurity problem. With Change Your Password Day approaching on February 1, the recent incident highlight the reasons for enterprises and users to mark the important date with a review of their current credentials and password protocols.

Personal data involved in the incident

Reports in the media indicate that the malicious event occurred somewhere between the 6th of December and the 8th of December. Upon detection of the penetration, PayPal worked quickly to negate any further impact and immediately launched an investigation.

PayPal made an official statement on December 20 confirming that unauthorised third parties had employed stolen credentials to gain access accounts, however there no evidence was uncovered that indicate that the company’s system had been breached. As a result, it was determined that the confidential credentials had been obtained by another means.

The personal data exposed in the PayPal breach included the full names of account holders, their dates of birth, Social Security numbers, postal addresses and tax IDs, along with payment information. The enterprise reached out to users who had been impacted by the breach explaining the actions it had taken following discovery of the attack:

“We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account.”

Cybersecurity experts react

Due to the scale of the attack on PayPal and the high-profile nature of the incident, the breach has seen multiple cybersecurity experts comment.

Chief Product and Operating Officer for Veridium, Baber Amin, stated that major firms such as PayPal must do more to protect the user data entrusted to them. He commented:

“As trusted vendors, PayPal and others need to set a higher bar here.”

Amin suggested that enterprises should be rigorously monitoring their systems for any suspicious behaviour. For instance, a high volume of login attempts that have failed, which is a tell-tale indicator of a credential stuffing strategy in action, should be regularly checked for. He added that enterprises should also actively encourage their users to activate two-factor authentication (2FA) remove all passwords from user-facing systems using passkey adoption instead.

The founder of ImmuniWeb, Dr. Ilia Kolochenko, who is also part of the Europol Data Protection Experts Network has commented that he does not understand why multi-factor authentication (MFA) methods are not enforced as a default setting for such a data-sensitive service as the PayPal online payment platform.

Selecting strong passwords and changing them regularly are important protocols to put in place for any firm, and when combined with 2FA or MFA, can bolster information security. Remember to review your password procedures this February 1 and celebrate Change Your Password Day with enhanced protection.