PayPal Credential Stuffing Attacks Renew Calls for MFA
Wednesday, January 25, 2023
An internal review confirmed that on December 20, 2022, unauthorized parties could use account holders’ login credentials to access their PayPal accounts. In response to what is being called a credential stuffing attack, PayPal warned affected customers to take steps to protect their personal information.
The incident has called into question PayPal’s basic security provisions. “It is at least surprising why MFA authentication is not enforced by default for such a sensitive service as PayPal,” said Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network. Kolochenko noted that modern MFA technologies are cheap and “should be enabled by default by financial service providers as a foundational security control.”
And “any unusual activity, such as login from an unknown location or a new device should be rapidly reported to the user; the account may be temporarily suspended unless the user takes an action,” Kolochenko said. Read Full Article
IT World Canada: Compromised API led to data theft of 37 million T-Mobile customers