When PayPal was hit by a massive 'credential stuffing' attack at the tail-end of 2022, the company acted fast to stem the damage, but these attacks can have dire consequences.

Hackers carry out credential stuffing attacks using lists of credentials obtained from the dark web, data leaks or other sources. The attack relies on users recycling their passwords throughout multiple websites. A bot is typically used in the attack, and the hackers gain access to any accounts with matching usernames and passwords.

According to PayPal, 34,942 PayPal users' accounts were laid open to access by unauthorised attackers. Account holders' full names, birthdates, postal addresses, social security numbers, and unique tax identification numbers were available to hackers for two days. PayPal was hit by a credential stuffing attack last month. The online payment platform notifies all users whose data has been compromised due to the attack.

Hackers carry out credential stuffing attacks using lists of credentials obtained from the dark web, data leaks or other sources. The attack relies on users recycling their passwords throughout multiple websites. A bot is typically used in the attack, and the hackers gain access to any accounts with matching usernames and passwords.

Here is what PayPal had to say to those customers affected by the attack, in a letter sent out in January:

"On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials. We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems.

"Based on PayPal's investigation to date, we believe that this unauthorized activity occurred between December 6, 2022, and December 8, 2022, when we eliminated access for unauthorized third parties. During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users. We have not delayed this notification as a result of any law enforcement investigation.

WHAT INFORMATION WAS INVOLVED?
"The personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth.

WHAT WE ARE DOING
"Upon learning about this unauthorized activity, we promptly began an investigation and took action to address this incident, including by taking steps to prevent unauthorized actors from obtaining further personal information. We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you login to your account.

"We have also secured the services of Equifax to provide identity monitoring services at no cost to you for two years."

States Chris Deverill, UK director at Orange Cyberdefense: "The credential stuffing attack suffered by PayPal proves how easy it can be for malicious actors to breach an organisation. Cybercrime is an industry in itself, with a variety of 'solutions' aimed at the 'market' of malicious actors, putting the capability of executing an attack within the reach of so-called 'script-kiddies' [unskilled individuals who use scripts or programs developed by others, primarily for malicious purposes] and other low-skilled attackers. That could be what happened here. Even as a low-skilled threat actor, you can easily buy user credentials from the dark web and push out login attempts to see what you can gain access to."

Deverill further states that it is impossible to control the security hygiene of your users or customers, and simple advice around not reusing passwords is often ignored. Therefore, to mitigate the low barrier of entry for some attacks, businesses need to focus on what they can control: their own security posture.

"While this, of course, includes technical defences and tools such as MFA, other policies and controls should be put in place as well," he advises. "For example, staff education and awareness building will undoubtedly help to reinforce security and mitigate the chance of future successful attacks. By fostering a culture of security, businesses can help to counteract the 'unwitting insider threat' of employees accidentally allowing malicious activity to take place without realising."

For Patrick Wragg, cyber incident response manager, Integrity360, falling prey to credential stuffing highlights the significance of a robust MFA (Multi-factor Authentication) solution. "Every credential stuffing incident the IR team at Integrity360 comes across shows that victims are still choosing passwords that are easy to remember (and therefore guess)," he states. "Adding the extra security step that is MFA means that password strength is not the only hurdle attackers have to cross."

CYBERATTACK-STYLE TACTICS
Imperva defines 'Credential stuffing' as a cyberattack method in which attackers use lists of compromised user credentials to breach into a system. "The attack uses bots for automation and scale, and is based on the assumption that many users reuse usernames and passwords across multiple services. Statistics show that about 0.1% of breached credentials tht are attempted on another service will result in a successful login." Credential stuffing is a rising threat vector, adds Imperva, for two main reasons:

= Broad availability of massive databases of breach credentials, for example, 'Collection #1-5', which made 22 billion username and password combinations openly available in plaintext to the hacker community = More sophisticated bots that simultaneously attempt several logins, and appear to originate from different IP addresses. These bots can often circumvent simple security measures, like banning IP addresses with too many failed logins.

And here is how Imperva depicts Credential stuffing in action. "Here is a typical process followed by an attacker in a large-scale credential stuffing attack." The attacker:

= Sets up a bot that is able to automatically log into multiple user accounts in parallel, while faking different IP addresses = Runs an automated process to check if stolen credentials work on many websites. By running the process in parallel across multiple sites, reducing the need to repeatedly log into a single service = Monitors for successful logins and obtains personally identifiable information, credit cards or other valuable data from the compromised accounts = Retains account information for future use, for example, phishing attacks or other transactions enabled by the compromised service.

All too clearly, credential stuffing is yet another serious and escalating threat our industry must guard against.