The unauthorized parties used login credentials to access PayPal user accounts, according to a PayPal notification of a security incident.
Between December 6 and December 8, 2022, hackers gained unauthorized access to the accounts of thousands of individuals. A total of 34,942 accounts were reportedly accessed by threat actors employing a ‘credential stuffing attack’.
Attacks called “credential stuffing” include trying different username and password combinations obtained from data leaks on numerous websites in an effort to get access to an account.
Since many users use the same password and username/email repeatedly, submitting those sets of stolen credentials to dozens or hundreds of other websites can enable an attacker to compromise those accounts as well. This can happen when those credentials are exposed (by a data breach or phishing attack).
“The unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users”, reads the PayPal notice of security incident.
Overview of the PayPal Data Breach
According to PayPal, the personal information that was leaked may have included name, address, Social Security number, individual tax identification number, and/or date of birth.
On December 20, 2022, PayPal confirms that a third party used the login information to access the PayPal customer account.
The firm identified it at the time and took steps to mitigate it, but it also launched an internal investigation to determine how the hackers gained access to the accounts.
The electronic payment system states that there was no system breach, and there is no proof that the user credentials were taken directly from the users.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.”
“There is also no evidence that your login credentials were obtained from any PayPal systems”, PayPal.
PayPal is giving impacted customers free access for two years to Equifax’s identity monitoring services.
“We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account”, PayPal noted.
- Maintain a close watch on your accounts and be on the lookout for any unusual activity.
- If you currently have another account with the same username and password as your PayPal account, you should change them.
- Enable “2-step verification” in your Account Settings to increase the security of your PayPal account.
- If you are unsure of the URL or website’s destination, do not click on the link.
Network Security Checklist – Download Free E-Book