IOTW: Data breach victim ordered to pay $1.21 million to Adidas and NBA

A victim of a Paypal credential stuffing attack has been ordered to pay Adidas and National Basketball Association (NBA) US$1.21 million after malicious actors used her Paypal account to sell counterfeit items.

Australian resident Sarah Luke was the victim of a credential stuffing attack that affected around 35,000 customers in December 2022. Luke believes she was targeted in this cyber attack as her details were exposed in the Medibank data leak in October 2022, as she is unaware of any other times her details have been compromised. Medibank, however, said that no passwords were stolen during the data leak, so the credential stuffing attack was unrelated.

From December 6 to December 8, 2022, Luke’s Paypal account was used to make hundreds of fraudulent transactions. Following this, she received an email notifying her that she was facing legal action from Adidas including trademark infringement relating to fake Adidas items sold in her name. The papers were served digitally and came from the US District Court of Florida. Luke was then served similar papers filed with the US District Court of Illinois from the NBA.

Both cases were given court permission to be run ex parte, meaning neither the NBA nor Adidas were required to be present at proceedings for the cases.

Luke told ABC News that she initially thought the emails were an attempted cyber attack: “I thought it was a scam, another hoax, and I deleted the first email. After subsequent emails, I realized, there's something in this, this is real.”

Luke called the charges, which include cyber squatting, trademark infringement and IP infringement, “shocking”.

According to ABC News, damages of $1 million and $200,000 were awarded against Luke in the Adidas and NBA cases respectively after default judgements were handed down by the US courts.

In an attempt to clear her name, Luke has contacted the New South Wales Police, the Australian Consumer Complaints Authority (ACCA), the Australian Financial Complaints Commission (AFCC) and the Australian Cyber Security Centre (ACSC). She has not found success, however, saying that she has faced many barriers when attempting to rectify the situation and has felt “unheard and unseen by so many organizations and parties”. 

Luke added that she does not know who to turn to for help or advice, but she has attempted to get the rulings overturned and the damages retracted by engaged a US intellectual property lawyer. Luke explained that the legal proceedings had caused her anxiety, as she does now know if her assets will be seized or frozen in relation to the case.

What is credential stuffing?

Credential stuffing attacks see malicious actors use usernames and passwords stolen during data breaches in an attempt to log in to other accounts belonging to victims.

To do this, malicious actors will use automated systems to “stuff” the credentials into online sites with the aim of discovering a reused password. This will then give them access to the account, allowing them access to further data, including personal ID numbers, payment information or authorization controls and coporate data that can be stolen and sold on to other malicious actors.

Credential stuffing can be protected against by using different, complex passwords for each of your accounts, as well as employing multi-factor authentication (MFA). By using MFA, you can prevent credential stuffing attacks as malicious actors will not be able to log in to your account, even if they do use the correct username and password.