Paypal Data Breach: 2020 Update

What happened to the Paypal data breach? Here are the latest news.

Paypal data breach

Paypal confirmed the security breach that happened in late 2019. Also, they admitted the weakness in their security.

A security analyst, Alex Birsan, reported the issue to Paypal. He said that there is a flaw in the login page.

According to his public report, a JavaScript file on the webpage is weird. It has a cross-site request forgery or a CSRF token and a session ID. What does this mean?

The file reveals session data, and hackers can retrieve login details.

How dangerous it is

Birsan said that this is a high-severity bug. And most of all, it affected the most visited page of Paypal: the login page.

Additionally, he said that it is easy to find by cybercriminals who want to get and sell login credentials.

Paypal’s acknowledgment

Paypal acknowledged the report. Also, they reportedly gave Birsan an award of $15,300.

Besides, Paypal started an investigation. In their report, they confirmed that, indeed, there were sensitive and unique tokens that leaked. So, it resulted in Recaptcha implementation.

How the hack works

In some cases, users are requested to solve a CAPTCHA challenge. It will confirm their identity to log in successfully.

But, if the user failed to solve the captcha repeatedly, they may not be required to do the authentication challenge. Which is very ironic.

Also, they said that some followed a link from a malicious site. Then, hackers trick them to enter their login details and password.

If a user typed his login details, hackers can get the information. So, they can complete the security test and pretend that they are the user.

Thus, it would expose the password because they now know the answers to the security challenge.

Paypal’s defense

Also, Paypal said that it would only expose the password if the user followed the link. Like how a phishing page works.

However, Birsan said that social engineering attacks do not work that way. The only thing that hackers need is just for the user to visit a hacked web page.

Moreover, he added that the same process can expose credit card data. Which is very harmful, as they can take your money.

Details of the disclosure

Birsan submitted the proof of concept to Paypal’s bug bounty program. And HackerOne validated the proof after 18 days.

Paypal solved the bug last December 11, 2019. It was within 24 hours of the report. It is an impressive quick action.

Besides, the bug was disclosed last January 8, 2020.

Additionally, they said that they have already applied more controls to the security test. Thus, the session tokens will not be reused.

Also, they claimed that they did not find any evidence of abuse or data theft.


After the disclosure by Birsan, he said that the bug could have been avoided. True, Paypal has fixed the issue.

However, all companies and websites should always apply the oldest piece of information security advice. It is to never store the passwords in plain text.

[Total: 0   Average: 0/5]

Leave a Comment

Your email address will not be published. Required fields are marked *