PayPal has sent out data breach notifications to thousands of users whose accounts were accessed through credential stuffing attacks, which exposed some personal data. Credential stuffing attacks are automated attempts by hackers to access an account by using username and password pairs sourced from data leaks on various websites.
The attack targets users who use the same password for multiple online accounts, which is known as “password recycling.” The company detected and mitigated the attack between December 6 and December 8, 2022. Unauthorized third parties logged into the accounts with valid credentials, and 34,942 users were impacted. PayPal claims that the incident was not due to a breach in its systems and that it has no evidence that the user credentials were obtained directly from them.
The hackers had access to users’ full names, dates of birth, postal addresses, social security numbers, individual tax identification numbers, transaction histories, connected credit or debit card details, and PayPal invoicing data. PayPal reset the passwords of the affected accounts and implemented enhanced security controls. It also recommends that users change their passwords for other online accounts, use unique and long strings, and activate two-factor authentication protection.