A debacle has occurred in PayPal at the level of what happened in Twitter or other companies at the time. And it is that nothing less than 35,000 accounts have been hacked… Although really the term should not be such. The way to obtain the data of these has a great responsibility on the part of the users, but also, and of course, of the company. The exposure has been really high, it is tremendously worrying and, therefore, PayPal has had to come to the fore about the hacking of so many thousands of accounts.
The hacking took place last December, specifically, between 6 and 8 of said month. This time where the company has remained silent beyond commenting that they had a security breach has served to account for the damage and the scope of the problem… And it really is serious.
PayPal and the hacking of 35,000 highly exposed accounts
How have you managed to hack so many accounts at the same time? And at the same time so few? The number is high, but it does not correspond to a massive security breach as we have seen on other occasions and companies. It is, to put it in some way, a rather important limited number, but not globally critical.
Well, much of what has happened falls under the responsibility of cybersecurity on users. The attackers used what is known as Credential Stuffingwhich translating the term into our language is referred to as credential stuffingor the most used: reuse of credentials to legitimize a theft.
In other words, it is a type of attack that is based on the stolen credentials of other websites, which has the peculiarity that both are shared. the same username or emailand the same password. It is the typical case of the user who uses the same email and password in many places… Or in all of them. From Bleeping Computer the following is reported:
“Over the two days, the hackers had access to the full names, dates of birth, mailing addresses, social security numbers, and individual tax identification numbers of the account holders. Transaction histories, details of connected credit or debit cards, and PayPal billing information are also accessible in PayPal accounts.”
As we can see, they have been able to access almost any data that PayPal has, because, after all, access was apparently legal, since there was a valid username and password in all cases, but of course, PayPal stopped the intrusion as soon as it realized it, but it was too late…
The company wasn’t hacked, its users were
The problem is that the use of the same account or email, the use of the same password by users, is inescapably fault of that user. In addition, PayPal has two-step verificationso if the user does not want to activate it, then it turns out that the company can do little beyond detecting that thousands of accounts are being accessed simultaneously from a series of identical locations in all cases.
It is also true that in a case of Credential Stuffing like this hack to PayPal accounts, many times there are many login failures, mainly because many of those users may yes they changed the keysbut 35,000 of them have been compromised by this PayPal hack.
This is another example of why companies like Google, Apple or Microsoft they want to do away with passwords as such in the future. Users, as a general rule, as ordinary people without much knowledge of Internet security, are not aware of the danger they run by using the same passwords in each service they sEsports Extrasup for, even in banks. Companies cannot deal with this simply, because in the end It is a decision and responsibility of each person.
But yes that can offer more advanced tools and services that somehow force the user to validly identify themselves, even if an attacker has the password. In any case, and as PayPal said in their email, change your password and activate two-step verification, just in case…