This Thursday (19), PayPal began sending thousands of notifications to its users whose accounts were breached at the payment company. Customers’ personal data was compromised by a hacker attack known as “credential stuffing”.where criminals test user information stolen from other databases.
The information used in such attacks often comes from private and public sector database breaches, which are often sold on the dark web. Details captured in these attacks are applied to credential stuffing tools that use bots to bypass traditional login protections.
In these operations, the target is users using the same password on multiple online accounts.
What should the 35,000 affected users do?
According to PayPal, the credential stuffing attack took place between December 6 and 8 of last year. Internal investigation Data breach of 34,942 platform users revealedallowed attackers to access: account holders’ full names, dates of birth, postal addresses, and document numbers.
Making sure that the attackers did not attempt or fail to take any action from the compromised accounts, PayPal says it “takes timely measures to limit intruders’ access to the platform and reset the passwords of the compromised accounts.” In addition, all affected users will receive two years of free identity tracking service by the Equifax credit bureau.
Finally, the Californian company “strongly” recommends that recipients of security alerts change passwords for other online accounts to: a unique set of at least 12 alphanumeric characters and symbols. To prevent strangers from accessing the account even if they have a valid username and password, PayPal also recommends users to enable two-factor authentication..
Source: Tec Mundo