With the holidays being a busy period, hackers attempted a PayPal breach that affected around 35,000 customers in December. According to an investigation, the login information wasn’t stolen from PayPal. Instead, the hackers used passwords they acquired elsewhere and tried them in bulk to see if users reused any. Stolen account data included names, birthdays, addresses, SSNs, and other identifying information.
Reused Passwords Caused the December PayPal Breach
While many account breaches are the company’s fault, the December PayPal breach was mostly user-caused. Creating and remembering strong passwords is an ongoing challenge for many users. As a result, many people have reused passwords across multiple accounts, so they don’t have to remember as many. While that can save time and headache, if that one password is stolen, it puts every single account that uses it at risk. That was the primary cause of this situation.
PayPal Still Played a Role in the Breach
Even with those 35,000 accounts that had reused passwords, PayPal wasn’t entirely blameless for its role in this breach. Hackers testing for that many reused passwords should have been detectable. With as many accounts as were accessed, a much larger number were likely attempted and failed. As a company that’s handling sensitive financial user data, it’s their job to be able to track and prevent unusual login attempts.
The Importance of Unique Passwords
The PayPal breach is another reminder of the importance of unique passwords for each account. While PayPal should have been able to do more to detect the hack attempt, it couldn’t happen without people reusing passwords. With an average of 15% of sensitive files being viewable by all employees, there are a lot of weak points for hackers to target. Cybersecurity is a joint effort and can only fully protect a person or a business if everyone is involved. Even if a company can detect and prevent most threats, poor security habits can cause gaps in protection.
MFA Can Help Protect Stolen Passwords
Strong and unique passwords are important, but users can also take other steps. Multi-factor authentication (MFA) can be used to set up a secondary security measure when accessing an account. The most common method is texting a security code to the user’s phone. Once received, it can be input into a prompt that’s part of the login process. Those codes expire after a short period, making them difficult to steal. A hacker trying to guess them will flag the attack as suspicious and usually prevent the login attempt.
Good Password Habits Can Prevent a Repeat PayPal Breach
While it’s unclear how many accounts were targeted beyond the 35,000 impacted, the December PayPal breach showed a lack of password security awareness. A strong password is essential for users to protect themselves. But if that password is reused across many accounts, it makes similar incidents more likely. IT providers like ITonDemand can help protect against breaches with threat monitoring and can offer staff resources to help users build better account security habits.