PayPal recently announced a data breach that exposed sensitive information on 35,000 users.

The incident took place between the 6th and 8th of December. PayPal detected the breach on the 20th of December, according to a regulatory filing. The incident was caused by a credential-stuffing attack, which involves hackers using previously breached credentials to access accounts.

The attack strategy relies on consumers repeating passwords across many websites — risky behaviour in the age of constant data breaches, yet all too popular.

Names, addresses, social security numbers, tax identification numbers and dates of birth are thought to have been compromised in the PayPal data breach.

Lack of MFA

PayPal responded with an investigation, password changes and new security procedures. The company offered affected users two years of identity monitoring services from Equifax, which has had its share of high-profile breaches.

However, experts have pointed out that for such a critical service as PayPal, multifactor authentication (MFA) should have been made mandatory by default.

“Modern MFA technologies cost almost nothing to implement and should be enabled by default by financial service providers as a foundational security control”, said Dr. Ilia Kolochenko, founder of security company ImmuniWeb SA and member of the Europol Data Protection Experts Network.

Pivot to zero trust

Craig Lurey, CTO at password management company Keeper Security, also emphasized the need for improved security. He argues that to prevent credential-stuffing attacks, cloud-based platforms must implement more advanced device verification systems.

He noted the importance of training employees to identify suspicious phishing emails or text messages that seek to install malware into critical systems, prevent user access and steal sensitive data.

The PayPal data breach serves as a reminder of the value of implementing strong security measures to protect personal information, as well as the need for individuals to be vigilant about not reusing passwords on different sites. Organizations must take a proactive approach to security and implement measures such as MFA and zero-trust architecture to prevent future breaches.

Tip: Air France-KLM loses customer info in data breach