What just happened? PayPal is notifying thousands of users that their accounts were hacked last month after hackers used a credential stuffing attack. It is estimated that the personal information of about 35,000 people was exposed in the incident.
PayPal says the accounts were accessed by unauthorized parties who were able to guess user credentials, likely by taking advantage of massive data leaks from other sites. It highlights the dangers that come from people reusing login username/password combinations across multiple websites. Password recycling is still alarmingly common and can be avoided with a good password manager.
This type of attack gets its name from the botnet that runs credential lists on websites, populating login portals until they are accessed. PayPal says the attack took place between December 6 and December 8, 2022, which affected 34942 Client. The company maintains that the incident was not due to a breach of its own systems and there is no evidence that user credentials were stolen from any of PayPal’s systems.
The information accessed included customers’ names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth. PayPal said it has no information that any of this data has been misused. Notably, there is no evidence of unauthorized payment transactions on the hacked accounts.
PayPal said it immediately launched an investigation once the unauthorized access was discovered. It has also taken steps to prevent further customer information, potentially payment and account details, from being stolen. The company reset passwords for affected accounts and “implemented enhanced security controls.”
These incidents usually involve the victim’s company reporting to law enforcement, but Reg reports That PayPal did not involve the police. The post asked PayPal why but it never responded.
PayPal says it will offer customers two years of identity monitoring from Equifax, a company it’s no stranger to data breaches (Sent at once incorrect credit scores). The payments giant is also advising affected users to activate two-factor authentication (2FA) protection on their accounts and to change any recycled PayPal credentials used on other sites or services.