PayPal Wasn’t Hacked, But its Customers Were – Now What?

By Brittney Liburd, Senior Product Manager, authID.

It’s time for the market to do something about incomplete MFA for consumers.

What Happened During the PayPal 2023 Hack?

In early December, PayPal identified unauthorized access into users’ accounts. Only now— more than a month later—users are receiving notifications about the breach. This latest breach is an interesting case to discuss because this breach exposed lifetime data such as dates of birth and social security numbers that will be usable for fraudsters for a long time. In addition, breaches like these do not compromise company systems but cause consumer agony, distrust, and negative press. This is a clear signal that CIAM needs to catch up with modern IAM and better protect individual users with stronger, more secure authentication.

For decision-makers in CIAM, customer identity and access management, this blog post should be of particular interest as we cover the facts of the PayPal hack and what it means for your cybersecurity strategy through 2023 and beyond.

Without Strong Authentication, Hackers Got Unauthorized Access to PayPal Accounts

Credential stuffing attacks hit PayPal users. What are credential-stuffing attacks? Credential stuffing utilizes reused passwords found, stolen, or bought from previous breaches. These passwords are repeatedly entered until a credential/password-pair successfully gave the bad actor access. The compromised PayPal users were likely not using unique passwords online. Rather, the victims probably created the same ‘credential plus password’ pair across multiple accounts and sites. This weak password-reuse practice enabled the hackers to brute force their way into nearly 35,000 PayPal accounts.

These 35,000 accounts exposed addresses, SSNs, dates of birth, and other highly sensitive information to bad actors, who now have a treasure trove of lifetime data that can be sold online or used by the thieves to commit more unauthorized access, account takeover, and fraud.

Without MFA, accounts are most vulnerable since passwords are too easily stolen and shared, and are the weakest form of authentication.

PayPal Responded With Monitoring and Support for Breached Accounts

Though this attack occurred between December 6, 2022, and December 8, 2022, PayPal did not discover the breach until December 20th, and then did not notify users until almost a month later in January. In addition, PayPal reset all passwords for impacted accounts and is providing affected customers with identity theft monitoring services via Equifax for the next two years.

But is it enough? Password resets and ongoing monitoring are great, but shouldn’t PayPal and other consumer-focused organizations focus on preventing successful attacks in the future? And if so–how?

In 2022, Microsoft reported that only 22% of its Azure Active Directory (AD) customers used a multi-factor authentication solution to secure their accounts in the previous year; market research has returned year after year pointing at user experience as one of the prime drivers of MFA resistance in users. If given a choice – users often forgo MFA because of the additional friction associated.

4 Things PayPal and All Consumer-Focused Organizations Can Do To Prevent Credential Stuffing­­ and Account Takeover

1. Remove passwords from the authentication workflow. When you eliminate passwords from the authentication workflow, you remove the most common vector for data-breach. Use policies and controls that will prevent and cap repeated attempts at login
2. Do your research! All passwordless solutions are not the same – the most popular solutions for MFA are phishable and/or susceptible to prompt-bombing and other attacks that leverage human behaviors or thought processes
3. Find the best user experience, then strongly encourage MFA. Users hate the legacy MFA experience – where multiple devices and texted or emailed OTP add friction. Find solutions that don’t sacrifice CX for security or vice versa. For example, Verified™ can be delivered seamlessly in a browser on any mobile or desktop device. If users are reluctant to add MFA, make repeated efforts to educate and convert these users into MFA adopters.
4. Use human factor authentication (HFA). You can’t stop users from using the same password across accounts and sites, but you can make the password obsolete. You cannot force users to ignore MFA prompts which enable prompt bombing, but you can remove prompts from the workflow and thus this avenue of compromise. To prevent unauthorized access, account takeover, and fraud due to credential-based attacks like credential stuffing – the human factor of authentication – should be considered.

Wait, What is HFA?

Human Factor Authentication™ or HFA eliminates passwords by combining FIDO2 (Fast Identity Online) passwordless authentication with biometric certainty to identify the human behind the device. As a hybrid approach to MFA, HFA combines what the user has with who the user is, the proven way to combat the prevalent threats facing organizations today.

Device possession is proven using FIDO2 passkeys, an open standard that combines a cryptographic key stored on the device and device based biometrics or PIN. For account activity where stronger identity assurance is needed, user identity is verified using a cloud selfie, bound to the user’s identity. Combined, these two factors provide high assurance of the user’s identity, moving organizations further during their Zero Trust journey more efficiently than rip and replace.

HFA removes passwords and other phishable factors from the authentication workflow, thereby closing the most used vectors for unauthorized access and significantly reducing the incidence of successful account takeover.

HFA Delivers Seamless UX

Your customers hate creating and remembering passwords. Annoying authenticator apps and one-time passcodes sent to different devices can delay the login process. With HFA, the customer enjoys seamless login using their local device biometrics. authID HFA validates the FIDO2 cryptographic passkey and authenticates the customer.

HFA’s user-centric authentication workflow does not require additional hardware, text messages, codes, or passwords for enrollment, authentication, and account or identity recovery. Simply put, HFA works the way users do – inline on any browser and across devices with no restrictions.

PayPal Can Secure User Accounts Without Sacrificing UX

Apple, Google, and Microsoft have all committed to passwordless futures, and the federal government has clarified that passwordless, unphishable MFA is the only acceptable form of authentication it will accept for agencies, contractors, and partner organizations on its march towards zero trust.

All passwordless solutions, however, are different and the most popular solutions for passwordless authentication are often incomplete. While these MFA solutions are better than nothing, it’s time to move to next-gen MFA that accounts for shifts in cybersecurity where identity is the new perimeter, protecting organizations and their customers from today’s prevailing social engineering cyber-attacks.

Consumer-facing organizations like PayPal should also adopt and commit to HFA and passwordless, unphishable MFA to protect consumers, their data, company stock prices, and business reputations.

In closing, as the workforce rapidly adjusts to remote workers, digital supply chains, and federal mandates concerning MFA- so must consumer-facing organizations. As phishing, social engineering, credential stuffing and other credential focused attacks grow in occurrence, sophistication, and scope-the methods used to authenticate users and validate their behavior need to remove known vulnerabilities like passwords and ensure that the user in possession of the device used for access is who they claim to be.

Deploy Unphishable Human Factor Authentication

Verified Human Factor Authentication is unphishable MFA. Maximize your cybersecurity’s effectiveness with user-centric, biometrically backed authentication from authID. Schedule a time with our security specialists to learn more. Click here to learn more.