Credential stuffing is a persistent threat. The form of attack exploits valid credentials stolen during a breach or purchased on the dark web, often in bulk.

The damage from credential stuffing can multiply and flow downstream because many individuals reuse usernames and passwords across multiple accounts.

Cybercriminals are using proxies and configurations to mask and automate credential stuffing attacks targeting U.S. businesses, the FBI said in an August 2022 warning to private industry.

A PayPal spokesperson said the data incident, which has been resolved, affected a small number of customers. The company ended the third quarter of 2022 with 432 million active accounts, according to its earnings report.

“PayPal’s payment systems were not impacted, and no financial information was accessed. We have contacted affected customers directly to provide guidance on this matter to help them further protect their information,” the spokesperson said via email.

In the notice sent to impacted customers, the company said it proactively reset the passwords of affected accounts and implemented enhanced security controls, requiring users to establish a new password next time they login to their account.

“The security and privacy of our customers’ account information remains a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused,” the spokesperson said.

By Matt Kapko on Jan 20, 2023
Original link