From PC World: Another day, another major security breach. Following in the footstep of Twitter and Experian, on Thursday PayPal began notifying nearly 35,000 users that their accounts were breached between December 6 and 8. What’s different here is the method attackers used to crack the accounts. PayPal itself wasn’t hacked. Instead, the baddies used an attack known as credential stuffing—leveraging previously leaked login information that people reused for their PayPal accounts.
“During the two days, hackers had access to account holders’ full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers,” Bleeping Computer reports. “Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.”
That’s some seriously personal information to leak. PayPal halted the intrusion within two days, reset the passwords for affected users, and says no unauthorized transactions were attempted. It’s also giving affected users two free years of credit monitoring from Equifax, per Bleeping Computer.
But this attack didn’t need to happen. Again: PayPal wasn’t hacked, and none of these accounts would have been compromised if their owners followed some fundamental online security practices.
View: Full Article