PayPal accounts breached in credential stuffing attack

PayPal has sent notifications to approximately 35,000 users whose accounts were breached and accessed by a cybercriminal. The company maintains that PayPal itself was not hacked, but the hacker used breaches of other cyber incidents to gain user credentials to try and utilize in a credential stuffing attack on PayPal’s platform.

In a credential stuffing attack, usually, some sort of automated tool is used to load and attempt to brute force or “stuff” the credentials into a targeted website, in this case, PayPal, to try and successfully login.

If the user account isn’t protected by unique passwords or multi-factor authentication, the account will successfully login.

And then your account is compromised.

PayPal concluded an investigation on December 20, 2022, confirming that unauthorized third parties accessed the 35,000 accounts.

The cybercriminals had access over two days to account holders’ full names, dates of birth, mailing addresses, social security numbers, and individual tax identification numbers. Transaction records, connected credit cards, and financial institutions were also accessible.

PayPal discovered the breach and reset the passwords of all affected accounts “in a timely matter,” according to the company.

Despite the breach of accounts, PayPal believes no personal information was misused, according to their statement. “We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.”

PayPal is providing a two-year free membership to Equifax—itself a target of past security breaches—to help impacted customers monitor their credit reports.

We strongly recommend utilizing a password manager, uniquely strong passwords with alphanumeric characters, and enabling multifactor authentication whenever possible.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.