Here we go again! Last month it was LastPass. Prior to that it was Uber. Before that, Okta. And before that, well… you know where this is going. Now the PayPal Breach 2023, 35,000 customers have been breached by a credential stuffing attack, according to PayPal officials.
It is bad enough that some 35,000 PayPal customers were impacted by a preventable cyberattack method; the troubling part is that 35k customers are a small percent of PayPal’s 429 million active accounts, which are no doubt being targeted by credential stuffing attacks as you read this. My question is, what are PayPal officials going to do to protect 429 million accounts from future attacks?
The thing about credential stuffing attacks is that it is a predictable playbook used by cybercriminals that often has a high probability of success. Cybersecurity experts who advise implementing 2FA “everywhere” and using long, complex passwords do a disservice and miss an opportunity to recommend solutions that may actually work.
If 2FA is so good…
Whenever another major data breach lands in a headline, I can predict not only the narrative about root cause, but also about the efforts taken to soothe customers and recommendations to protect against future credential-stuffing attacks. Enable 2FA/MFA, sign up for free credit monitoring… the recommendations read. Don’t get me wrong, MFA security is an excellent choice for enhanced account security and protection against common attack scenarios. But as Microsoft reported in its 2022 Cyber Signals report, the adoption rate is 22% among enterprise users, and the benefit of 2FA/MFA isn’t realized unless it is implemented.
Another challenge with 2FA/MFA is that it can be susceptible to MFA fatigue and MFA bypass attacks, as we learned from the Okta breach. Even when customers and employees do “the right thing” by enabling their MFA, we can learn from history that MFA alone is not enough.
Until CISOs and organizations require 2FA/MFA by default, it will not be an effective defense against the kinds of attacks that occurred in the PayPal breach. The 2FA/MFA lifestyle is a hard one to adopt at scale, and CISOs should consider solutions to enable stronger authentication that doesn’t rely on discipline and lifestyle changes of end users.
Protection begins with a better credential security model
The lack of disciplined adoption of 2FA/MFA forces CISOs and organizations to consider alternatives. Using a Zero Trust mindset may lead us toward a passwordless future, or it may lead us to think more strategically about improving our credential security models. The bad news for credentials is that over 30 billion stolen passwords are floating around on the dark web and various hacker forums. The good news is that more than 30 billion stolen passwords are floating around on the dark web, which becomes a source of intelligence that informs and enables stronger authentication.
The PayPal breach of 2023 reminds us that 2FA isn’t a silver bullet and that credential security matters more than ever.
VeriClouds patented CredVerify technology is an identity threat intelligence platform that can block stolen credentials from being used during login by providing visibility, rapid detection, and automated remediation. Through real-time checks against credential threat intelligence, identity providers and organizations can enforce strong authentication and identity assurance across SaaS and on-premises environments with standard restful API integrations and solution accelerators. This approach complements existing MFA investments and ensures that stolen credentials are not used as a weapon during account takeover or credential stuffing attacks.
VeriClouds patented CredVerify technology provides:
- Comprehensive visibility into the risk of compromised credentials
- Enhanced credential security for the user management lifecycle
- Continuous monitoring and detection of compromised credentials for the entire organization (user and org level)
- Secure credential verification with k-anonymity protection
The PayPal breach of 2023 reminds us that 2FA isn’t a silver bullet and that credential security matters more than ever.
If you haven’t done so, you can request a demo or get started with credential verification for protecting your sensitive data and customer accounts.
VeriClouds is the white-labeled solution behind one of the largest email providers in the world.