PayPal is alerting users to a data breach and sending out notifications to thousands of users who had their accounts hacked through a credential-stuffing attack that exposed users’ personal data.
A credential stuffing attack is an attempt by hackers to access an account by trying out usernames and password pairs that were exposed via previous data leaks.
This approach works by using bots to stuff lists of credentials into login portals on many websites, often focusing on the financial sector.
35,000 PayPal users affected
PayPal informed users that the attack occurred between December 6 and December 8, 2022. PayPal detected the suspicious activity and addressed it, before starting an investigation to find out how the hackers gained access to the accounts in question.
The company concluded its investigation by December 20, 2022, which confirmed that unauthorized third parties had logged into accounts with valid credentials.
The financial payment company claims that this was not due to a systems failure or breach on its end and that there is zero evidence that users’ login data was obtained from PayPal. According to PayPal’s report, 34,942 user accounts have been affected by the incident. As a result of the breach, account holders’ full names, dates of birth, addresses, Social Security numbers, and tax ID numbers were illegally obtained by the hackers.
Although PayPal states that they addressed the data breach in a timely fashion to limit the attack as best they could, the hackers had access to the user’s transaction history, credit and debit card information, and invoicing data.
In the end, PayPal claims that the hackers did not perform any transactions with the during the breach.
What you can do
PayPal recommends that users who received data breach notices change their passwords not just for its services but for their other online accounts. At least a 12-character long password is highly recommended, and it should include alphanumeric characters and symbols as well. We strongly recommend using a password manager as maintaining distinct strong passwords for every site and service you use is a nearly impossible task without one.
It is also suggested that PayPal users activate and use two-factor authentication (2FA) to better protect their accounts and prevent data breaches. Also if you use a smartphone to access your accounts, using facial recognition is another measure you could take.