PayPal confirms data breach, sends warning emails to users

(Image credit: PayPal)

PayPal has issued a warning to some of its customers that their accounts have been breached, and some sensitive data compromised. 

In its report, the company confirmed that on December 20, 2022, an unauthorized third-party accessing a number of PayPal accounts. Further investigation uncovered that whoever was behind the attack, accessed the accounts between December 6 and December 8, 2022.

“During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users,” the warning reads. That data includes users’ names, addresses, Social Security numbers, individual tax identification numbers, and/or dates of birth.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

No evidence of misuse

PayPal did not explain exactly how the attackers managed to access these accounts, other than stating that there is “no evidence” the login credentials were taken from the company’s systems. 

BleepingComputer reports that the breach is the result of credential stuffing, a type of attack in which hackers “stuff” the login page with numerous credentials taken elsewhere until one eventually works. 

This method relies on people using the same passwords across multiple services so that if one gets breached, all are at risk. The same report also claims 34,942 accounts were compromised, and that transaction histories, connected credit or debit card details, and PayPal invoicing data were also likely accessed. 

What the hackers will do with the data obtained in the attack remains to be seen. At the moment, PayPal does not have any evidence the data was misused, but it’s safe to assume it will be used in identity theft, phishing, or other forms of social engineering attacks.

To protect its users, PayPal reset the passwords for the affected users, and “enhanced security controls” requiring users to set up a new account on their next login. Also, the users were given one year free identity monitoring services through Equifax.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.