According to BleepingComputer, PayPal sent out data breach notifications to thousands of their users who had their accounts breached through a large-scale credential stuffing attack.
What is Credential Stuffing?
Credential stuffing is a straightforward form of brute force cyberattacks in which criminals use stolen usernames and passwords to access user accounts in other systems. Credential stuffing is considered one of the most common causes of data breaches because stolen usernames and passwords are cheap, accessible, and they work.
Who Was Affected?
PayPal states that this credential stuffing attack took place between December 6th and December 8th of 2022. Hackers managed to access the personal information of 34,942 users and during these two days, hackers had access to full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.
PayPal claims they took immediate action to limit the hackers’ access to the platform by resetting the passwords of the affected accounts, according to HackRead.
How Could Eclypses MTE Technology Have Secured the Data?
For credential stuffing attacks against API login endpoints, requiring Eclypses MTE encoded payloads is the single best way to prevent generic login requests. Eclypses’ proprietary technology ensures that only a paired, uniquely instantiated client and server can securely communicate with one another. As an added benefit, Session Tokens and Auth IDs are protected from being taken in transit and stolen while at rest.
For more information on credential stuffing attacks, click here.