PayPal Holdings Inc. has disclosed a data breach that involved the theft of information from 35,000 customers in a credential-stuffing attack.

In a filing Wednesday with the Office of the Maine Attorney General, PayPal said the breach occurred between Dec. 6 and Dec. 8 and was detected on Dec. 20. Details believed to have been accessed include names, addresses, Social Security numbers, tax identification numbers and dates of birth.

Along with launching an investigation, PayPal reset the passwords of all affected accounts and implemented enhanced security controls. Affected users are also being offered two years of free identity monitoring services from Equifax Inc.

In a credential-stuffing attack, hackers use previously stolen user information from other sites to access other accounts held by those who have had their account details stolen. The attack method relies on people reusing passwords on different sites, a dangerous thing to do in the age of perpetual data breaches but one that is all too common.

“Although many PayPal accounts were affected, the attack was not the result of PayPal’s lack of security,” Paul Bischoff, privacy advocate with tech comparison site Comparitech Ltd., told SiliconANGLE.  “Instead, it’s the result of PayPal users reusing the same password on PayPal and other websites.”

Dr. Ilia Kolochenko, founder of information technology security company ImmuniWeb SA and member of the Europol Data Protection Experts Network, said it’s surprising that multifactor authentication isn’t enforced by default for such a sensitive service as PayPal.

“Modern MFA technologies cost almost nothing to implement and should be enabled by default by financial service providers as a foundational security control,” Kolochenko said. “In the meantime, all users should urgently enable MFA everywhere, especially in view of the recent LastPass data breach.”

The need for improved security was emphasized by Craig Lurey, chief technology officer at password management company Keeper Security Inc. He argues that to prevent credential-stuffing attacks, cloud-based platforms must implement more advanced device verification systems so attackers cannot brute-force test passwords.

“High-profile breaches must serve as a wakeup call for organizations large and small to implement a zero-trust architecture, enable MFA and use strong and unique passwords,” Lurey explained. “It’s equally important to train employees how to identify suspicious phishing emails or text messages that seek to install malware into critical systems, prevent user access and steal sensitive data.”

Image: PayPal