Total Tests:

PayPal Credential Stuffing Attacks Renew Calls for MFA

By Teri Robinson for Security Boulevard
Wednesday, January 25, 2023

An internal review confirmed that on December 20, 2022, unauthorized parties could use account holders’ login credentials to access their PayPal accounts. In response to what is being called a credential stuffing attack, PayPal warned affected customers to take steps to protect their personal information.

The incident has called into question PayPal’s basic security provisions. “It is at least surprising why MFA authentication is not enforced by default for such a sensitive service as PayPal,” said Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network. Kolochenko noted that modern MFA technologies are cheap and “should be enabled by default by financial service providers as a foundational security control.”

And “any unusual activity, such as login from an unknown location or a new device should be rapidly reported to the user; the account may be temporarily suspended unless the user takes an action,” Kolochenko said. Read Full Article

Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential