PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.
Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.
This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services.
Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."
Close to 35,000 users impacted
PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts.
By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials.
The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.
According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.
Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.
PayPal says it took timely action to limit the intruders' access to the platform and reset the passwords of accounts confirmed to have been breached.
Also, the notification claims that the attackers have not attempted or did not manage to perform any transactions from the breached PayPal accounts.
"We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account," reads PayPal's notification to impacted users.
"We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account" - PayPal
Impacted users will receive a free-of-charge two-year identity monitoring service from Equifax.
The company strongly recommends that recipients of the notices change the passwords for other online accounts using a unique and long string. Typically, a good password is at least 12-characters long and includes alphanumeric characters and symbols.
Moreover, PayPal advises users to activate two-factor authentication (2FA) protection from the 'Account Settings' menu, which can prevent an unauthorized party from accessing an account, even if they have a valid username and password.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Comments
kalmly - 2 years ago
PayPal stores Social Security numbers and tax ID numbers?
plat1098 - 2 years ago
Even though I was never contacted by PayPal, I checked my login password to my acct. and it was pwned. This is now the second recent one-- after ATT.
Luckily, I have MFA for my email acct so that prob. saved me. Have to be so vigilant nowadays.
ThomasMann - 2 years ago
These are the security news that I love and want to see a lot more....
Only the understanding of more and more people, that there will NEVER be security on the internet, especially when it comes to money, will save us from more and more digitalisation.
This will only bring more and more surveillance and control of the state over people. And it will prevent the abolishing of cash money..... which is the most basic freedom...
goldnet1 - 2 years ago
Wouldn't be anything to do with the LastPass breach of 30m accounts by any chance? I suspect they are also stuffing Amazon, Facebook, Instagram, GMail, Yahoo and any major target they can. I am changing my passwords on these accounts as they are reported. I switched away from LastPass when they started charging but obviously I haven't and can't foresee manually changing the 7.5k passwords I had stored in my vault. Some are obsolete and have been changed since but going through the whole list? Never going to happen.
ricegf - 2 years ago
"Typically, a good password is at least 12-characters long and includes alphanumeric characters and symbols."
That's terrible advice. Google "correct horse battery staple" for why. Then google "diceware" to create one that's secure and easy to remember.
TrueFalcon - 2 years ago
If you can remember it, it's too weak. Use a password manager and use random characters, not words. Each word in a password counts as ONE character. A dictionary search with common substitutions, 3 for E and the like, will crack it in seconds, minutes at most. You want something that will take a century or more of brute force.
TrueFalcon - 2 years ago
Paypal only allows 20 characters in passwords; that barely turns the security bar in KeePass green. My default for passwords is 32 with random upper, lower, and numbers. If they want special characters, I'll just add ! to the end. If you ever have to type in a password on a phone, special chars are a nightmare!