Nearly 35,000 PayPal accounts were apparently hacked in early December of 2022. According to the company, the accounts were not compromised through a data breach, instead, the attackers used a simple method known as credential stuffing.
When attempting a credential stuffing attack, hackers attempt to access an account by trying out username and password pairs sourced from existing data leaks. This type of leak relies on automation, with bots running lists of credentials to “stuff” into the login pages of the target site.
According to PayPal, the credential stuffing attack occurred between December 6 and December 8, 2022. It stated that its security teams detected and mitigated the attack at the time. In addition, it also started an internal investigation to figure out how the hackers obtained access to the credentials. (Read: Twitter denies data breach involved in leak of 200 million user emails)
On December 20, 2022, PayPal later concluded that the unauthorized third parties had logged into the accounts with valid credentials and that 34,942 users had been affected by the attack. During the two days, the hackers had access to the account holders’ full names, dates of birth, postal addresses, social security numbers and even individual tax identification numbers. Hackers may have also had access to transaction histories, credit card information and invoicing data as these are accessible on PayPal accounts.
The company states that it took timely action to limit the attackers’ access to the platform. It also reset the passwords of the accounts that were confirmed to have been breached.
Meanwhile, the company claims that the attackers were not able to perform any transactions from the hacked accounts.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” the company states in their notification to affected users.
In addition, PayPal states that affected users receive a free two-year identity monitoring service from Equifax.
That said, the company strongly recommended that affected users change their passwords for other online accounts. It has also advised users to activate two-factor authentication to help prevent unauthorized parties from accessing their account even if they use a valid username and password.
If you like reading our content, why not show your appreciation by treating us to a cup of coffee? (or two, if you’re feeling generous)