PayPal confirms data breach, sends warning emails to users

PayPal confirms data breach, sends warning emails to users

Audio player loading…

PayPal has issued a warning to some of its customers that their accounts have been breached, and some sensitive data compromised. 

In its report (opens in new tab), the company confirmed that on December 20, 2022, an unauthorized third-party accessing a number of PayPal accounts. Further investigation uncovered that whoever was behind the attack, accessed the accounts between December 6 and December 8, 2022.

“During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users,” the warning reads. That data includes users’ names, addresses, Social Security numbers, individual tax identification numbers, and/or dates of birth.

No evidence of misuse

PayPal did not explain exactly how the attackers managed to access these accounts, other than stating that there is “no evidence” the login credentials were taken from the company’s systems. 

BleepingComputer reports that the breach is the result of credential stuffing, a type of attack in which hackers “stuff” the login page with numerous credentials taken elsewhere until one eventually works. 

This method relies on people using the same passwords across multiple services so that if one gets breached, all are at risk. The same report also claims 34,942 accounts were compromised, and that transaction histories, connected credit or debit card details, and PayPal invoicing data were also likely accessed. 

What the hackers will do with the data obtained in the attack remains to be seen. At the moment, PayPal does not have any evidence the data was misused, but it’s safe to assume it will be used in identity theft (opens in new tab), phishing, or other forms of social engineering attacks.

To protect its users, PayPal reset the passwords for the affected users, and “enhanced security controls” requiring users to set up a new account on their next login. Also, the users were given one year free identity monitoring services through Equifax.

Via: BleepingComputer (opens in new tab)

Sead Fadilpašić

Leave a Reply