One security expert was surprised to learn multifactor authentication (MFA) is not mandatory for PayPal users after the company confirmed a data breach occurred in December.
Mike Walters, Co-Founder of Action 1 Corporation, shared his thoughts with Fintech Nexus after the data breach exposed up to 35,000 user accounts.
Walters said that the lack of two-layer authentication allowed hackers to get unauthorized access to user accounts through credential stuffing, a simple attack method that relies on stolen credentials.
Walters believes hackers use breached logins and passwords and try all consumers’ accounts until they are successful.
Should MFA be enforced, that attack would not be possible, Walters noted.
Data points possibly compromised in the breach included name, address, Social Security Number, personal tax identification number, and date of birth.
PayPal released a statement shortly after reaffirming its commitment to users’ security:
“Protecting the security of our customers’ information is very important to us. We are writing to inform you about an incident that may have impacted your PayPal account. At the outset, we want to clarify that keeping your data safe and secure will continue to be a priority moving forward.”
On Dec. 20, 2022, PayPal confirmed unauthorized parties could access PayPal customer accounts using login credentials. They said that nothing suggested personal information was misused after the breach.
“Upon learning about this unauthorized activity, we promptly began an investigation and took action to address this incident, including by taking steps to prevent unauthorized actors from obtaining further personal information,” the company said in a release.
PayPal said they reset the passwords of the affected accounts and implemented enhanced security controls that will require users to establish a new password the next time they log in to their account.
The company also set up Equifax as a partner service to aid in data breach monitoring.
“We have secured the services of Equifax to provide identity monitoring services at no cost to you for two years,” the company said in its statement.
What should customers do to protect themselves?
PayPal users can take a page from the Online Security 101 playbook: Don’t reuse passwords, and don’t err on the side of simple when constructing passwords.
“A lot of people use the same username and password throughout multiple accounts, Gmail, PayPal, and bank accounts just because it’s easier to remember,” Walters said.
He also warned that hackers are getting more sophisticated with direct outreach to potential targets, using spoofing and phishing techniques.
“People should beware of sophisticated social engineering attacks leveraging stolen personally identifiable information (PII),” Walters said. “Attackers might combine various communication channels, such as mail, SMS, messengers, and phone calls, and even personalize their messaging using the information they have stolen in other attacks.”
“If someone reaches out to you and pretends to be PayPal or another organization, never trust; always verify using sources other than those provided by the original sender,” Walters added.
PayPal users who did not receive the notice of the security incident should ensure that the passwords they are using are strong enough (Chrome features a password strength meter when creating new passwords) and haven’t been reused or stolen. Most importantly, enforce MFA for your account if you haven’t done so.
We reached out to PayPal for a statement regarding the breach and did not receive a response.