During a massive data breach, hackers gain access to the personal and financial information of users.
PayPal is notifying users of a data breach and sending notifications to thousands of users whose accounts were compromised by a credential-stuffing attack that exposed their personal information.
A credential stuffing attack is an attempt by hackers to gain access to a user account by reusing exposed usernames and passwords from previous data breaches.
Utilizing bots to stuff lists of credentials into login portals on numerous websites, with a focus on the financial industry.
35,000 PayPal customers impacted
The attack occurred between December 6 and December 8, 2022, according to PayPal. PayPal identified and addressed the suspicious activity before launching an investigation to determine how the hackers gained access to the accounts in question.
By December 20, 2022, the company concluded its investigation, which confirmed that unauthorized third parties had used valid credentials to access accounts.
The financial payment company asserts that this was not the result of a system failure or security breach on its end and that there is no evidence that login information for PayPal users was obtained. According to PayPal’s report, the incident has affected 34,942 user accounts. Hackers illegally obtained the full names, dates of birth, addresses, Social Security numbers, and tax ID numbers of account holders as a result of the breach.
The hackers had access to a user’s transaction history, credit and debit card information, and invoicing data, despite PayPal’s assertion that it responded promptly to the data breach to limit the attack as much as possible.
Ultimately, PayPal asserts that the hackers did not conduct any transactions during the breach.
What you can do
PayPal recommends that users who have received data breach notifications change their passwords for all of their online accounts, not just their own. It is strongly recommended that the password be at least 12 characters long and contain both alphabetic and numeric characters as well as symbols. Without a password manager, it is nearly impossible to create and remember unique, strong passwords for every website and service you use.
In addition, it is recommended that PayPal users activate and utilize two-factor authentication (2FA) to protect their accounts and prevent data breaches. Additionally, if you use a smartphone to access your accounts, you could employ facial recognition.