PayPal is alerting users to a data breach and sending out notifications to thousands of users who had their accounts hacked through a credential-stuffing attack that exposed users' personal data.
A credential stuffing attack is an attempt by hackers to access an account by trying out usernames and password pairs that were exposed via previous data leaks.
This approach works by using bots to stuff lists of credentials into login portals on many websites, often focusing on the financial sector.
35,000 PayPal users affected
PayPal informed users that the attack occurred between December 6 and December 8, 2022. PayPal detected the suspicious activity and addressed it, before starting an investigation to find out how the hackers gained access to the accounts in question.
The company concluded its investigation by December 20, 2022, which confirmed that unauthorized third parties had logged into accounts with valid credentials.
The financial payment company claims that this was not due to a systems failure or breach on its end and that there is zero evidence that users' login data was obtained from PayPal. According to PayPal's report, 34,942 user accounts have been affected by the incident. As a result of the breach, account holders' full names, dates of birth, addresses, Social Security numbers, and tax ID numbers were illegally obtained by the hackers.
Although PayPal states that they addressed the data breach in a timely fashion to limit the attack as best they could, the hackers had access to the user's transaction history, credit and debit card information, and invoicing data.
In the end, PayPal claims that the hackers did not perform any transactions with the during the breach.
What you can do
PayPal recommends that users who received data breach notices change their passwords not just for its services but for their other online accounts. At least a 12-character long password is highly recommended, and it should include alphanumeric characters and symbols as well. We strongly recommend using a password manager as maintaining distinct strong passwords for every site and service you use is a nearly impossible task without one.
It is also suggested that PayPal users activate and use two-factor authentication (2FA) to better protect their accounts and prevent data breaches. Also if you use a smartphone to access your accounts, using facial recognition is another measure you could take.
Stay in the know with Laptop Mag
Get our in-depth reviews, helpful tips, great deals, and the biggest news stories delivered to your inbox.
Mark has spent 20 years headlining comedy shows around the country and made appearances on ABC, MTV, Comedy Central, Howard Stern, Food Network, and Sirius XM Radio. He has written about every topic imaginable, from dating, family, politics, social issues, and tech. He wrote his first tech articles for the now-defunct Dads On Tech 10 years ago, and his passion for combining humor and tech has grown under the tutelage of the Laptop Mag team. His penchant for tearing things down and rebuilding them did not make Mark popular at home, however, when he got his hands on the legendary Commodore 64, his passion for all things tech deepened. These days, when he is not filming, editing footage, tinkering with cameras and laptops, or on stage, he can be found at his desk snacking, writing about everything tech, new jokes, or scripts he dreams of filming.