PayPal Accounts Compromised in Widespread Credential Stuffing Attack

PayPal Accounts Compromised in Widespread Credential Stuffing Attack

Thousands of individuals who had their accounts hacked through credential stuffing attacks that revealed some personal data are receiving data breach notices from PayPal. Cyberattacks called “credential stuffing” include testing different username and password combinations obtained from data dumps on numerous websites in an effort to get access to an account.

Using bots that run lists of credentials to “stuff” into login sites for numerous services, this form of attack uses an automated strategy. The practice of “password recycling,” or using the same password for several online accounts, is the focus of credential stuffing.

According to PayPal, the credential stuffing attack occurred between December 6 and December 8, 2022. The business discovered it at the time and took steps to mitigate it, but it also launched an internal investigation to determine how the hackers gained access to the accounts. PayPal finished its investigation on December 20, 2022, and found that legitimate login information was used by unauthorized third parties to access the accounts. The electronic payment system asserts that there was no system breach, and there is no proof that the user credentials were taken directly from the users.

According to the company’s data breach reports, 34,942 PayPal users have been impacted by the incident. Hackers gained access to the complete names, birthdates, postal addresses, social security numbers, and unique tax identification numbers of account holders for two days. On PayPal accounts, users may also see transaction histories, related credit or debit card information, and information on invoices.

PayPal said that it acted swiftly to restrict the hackers’ access to the system and reset the passwords of the accounts that were proven to have been compromised. The warning further states that no transactions from the compromised PayPal accounts have been attempted or successfully completed by the attackers.

“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” reads PayPal’s notification to affected users. “We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account.”

The affected users will get a free two-year subscription to Equifax’s identity monitoring service. The business strongly advises that those who get the messages modify the passwords for other online accounts with a unique and lengthy string. A strong password often has at least 12 characters, including symbols and alphanumeric letters. PayPal also suggests that customers use two-factor authentication (2FA) security from the “Account Settings” option, which can prevent an unauthorized person from accessing an account even if they have a legitimate login and password.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.