On November 5th, 2012, a well-known hacker group operating under the collective name Anonymous began a hacking spree targeted at some of the largest websites owned by companies like PayPal, Symantec, ImageShack, NBC, and Coca-Cola. The protest was part of the “zero day” exploits the group had prepared for Guy Fawkes Day, a holiday they created in honor of the Catholic revolutionary who tried to blow up the British parliament in 1605. The Fawkes mask, heavily featured in Alan Moore’s graphic novel V for Vendetta, has become synonymous with the high-profile “hacktivist” collective.
On November 4th, Anonymous Press tweeted that PayPal, one of the world’s biggest e-commerce gateways, was hacked, but the incident was immediately clarified in PayPal’s official Twitter account: “Please know @paypal was not attacked #Anonymous.” As the story developed, the company said there was “no evidence” of a security breach and the initial source of the news claimed that the exploit was directed at a company called ZPanel.
Still the issue has posted tons of questions to both its user base and from onlookers. As they say, “where there’s smoke, there’s fire.” If PayPal wasn’t indeed compromised, then what’s with the list of nearly 28,000 still-encrypted passwords posted on PrivatePaste.com for everyone to see? Despite the fact that it didn’t circulate that much because it was taken down immediately, or even if it belonged to PayPal or not, it’s still a noteworthy number of leaked info that shouldn’t be ignored. Many businesses around the world rely upon this widely used online payment method to complete financial transactions and any potential vandalism can quickly be translated to actual breach or theft of real assets.
PayPal should have done what Symantec did – take “each and every claim” of an attack on its systems seriously by relaying that it’s continuously investigating on the matter – those sorts of assuring messages – instead of pointing to another company. Real or not, the incident will cast a shadow of doubt among customers concerning PayPal’s capacity to block potential attacks that can compromise user information.
Again, it has always been stressed out that security is not just for the site owner’s protection but also for the users. For example, even if a subscriber signs up to a phone account and agrees to all the contracts and terms of service specified by the phone service company, the provider still holds a portion of liabilities in case the subscriber encounters information or financial theft while doing any transaction within the site. Even the slightest or most minimal exposure can lead to a potential breach, and businesses should keep security and privacy a top priority. For PayPal, coming clean would’ve been the best and easiest way to handle the mischief.
By now, full control over the websites targeted by the attacks has been returned to their respective owners, but Anonymous claims to have stolen sensitive documents including personal information and passwords. There will likely be more attacks in the future, and it’s a shame that even financial institutions are now vulnerable.