A security notification released to PayPal customers this morning has revealed that up to 35,000 customers have fallen victim to a credential stuffing attack. Credential stuffing attacks involve bad actors systematically trying username and password combinations in order to break into an account. This means that PayPal itself was not hacked – only the accounts of affected customers. 

Credential stuffing attacks such as this are a key driver of the security industry’s insistence on good password hygiene, using unique, complex pass-phrases that are unlikely to be guessed. 

“In the online age, where every website wants a user to have an account, it is easy to understand why people will re-use the same username & password combination. Research suggests that 0.1% of leaked credentials will be valid on another platform – Whilst this sounds like a small amount, leaked credentials number into the billions (services like haveibeenpwned list counts by breach),” said Mike Varley, threat consultant at Adarma. 

“Credential stuffing differs from brute force attacks in that they use valid credentials from other platforms. Combine this with a botnet originating from multiple different sources and you have an attack that can defeat most login protections, such as geoblocking and/or rate limiting,” he continued. 

Despite PayPal itself not being hacked, some experts have expressed the need for platforms to implement better password practices on their user’s behalf. 

“To prevent credential stuffing attacks, cloud-based platforms must implement more advanced device verification systems, so that attackers cannot brute force test passwords. A secure password manager such as Keeper will prevent password attempts on an account if the device being used is not verified and approved by the user. This device verification system inherently creates a second factor without requiring the end-user to go through manual steps to protect their account,” said Craig Lurey, CTO and co-founder of Keeper Security.