Accounts of over 34,000 PayPal customers were breached through a “credential stuffing” attack, Bleeping Computer reported on Thursday. A PayPal spokesperson confirmed the report.
Bleeping Computer explained, “Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.”
A PayPal spokesperson provided the following statement to EcommerceBytes:
“Earlier in December, our security team identified and resolved a data incident that affected a small number of PayPal customer accounts. PayPal’s payment systems were not impacted, and no financial information was accessed.
“We have contacted affected customers directly to provide guidance on this matter to help them further protect their information. The security and privacy of our customers’ account information remains a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused.”
Bleeping Computer linked to PayPal’s full “notice of security incident” notification sent to customers impacted. One section included background on the December attack:
WHAT HAPPENED?
On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials. We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems.
Based on PayPal’s investigation to date, we believe that this unauthorized activity occurred between December 6, 2022, and December 8, 2022, when we eliminated access for unauthorized third parties. During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users.
We have not delayed this notification as a result of any law enforcement investigation.
The letter to affected users also stated that the personal information that was exposed could have included customers’ name, address, Social Security number, individual tax identification number, and/or date of birth.
You can find the link to the letter in the Bleeping Computer article. As the news site stated, “The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.”
The incident is a good reminder of why it’s so important not to use the same password on multiple sites.
interesting, somewhere around that time was a day when i got repetitive texts with authentication codes. went and changed my password and they stopped, probably the only time i’ve been thankful for those annoying codes. wonder how they got my paypal pass though since it is one of a kind.