PayPal has warned some of its customers that their accounts have been breached and some sensitive data has been compromised.
In his report (opens in new tab)the company confirmed that on December 20, 2022, an unauthorized third party accessed a number of PayPal accounts. Further investigation revealed that whoever was behind the attack accessed the accounts between December 6 and December 8, 2022.
“During this time, unauthorized third parties were able to view and potentially acquire some personal information of certain PayPal users,” the alert reads. This information includes usernames, addresses, social security numbers, unique tax identification numbers, and/or dates of birth.
No evidence of abuse
PayPal hasn’t explained exactly how the attackers gained access to these accounts, other than that there’s “no evidence” the credentials came from the company’s systems.
Beeping computer reports that the breach is the result of credential stuffing, a type of attack in which hackers “stuff” the login page with numerous credentials picked up elsewhere until one eventually works.
This method relies on people using the same passwords for multiple services, so if one is hacked, all are vulnerable. The same report also claims that 34,942 accounts were compromised and that transaction histories, associated credit or debit card details, and PayPal billing data were also likely accessed.
It remains to be seen what the hackers will do with the data obtained during the attack. PayPal currently has no evidence of misuse of the data, but it can be assumed that they are being used identity theft (opens in new tab)Phishing or other forms of social engineering attacks.
To protect its users, PayPal reset passwords for affected users and “enhanced security controls” prompting users to set up a new account the next time they log in. In addition, users received one year of free identity monitoring services through Equifax.
Above: Beeping computer (opens in new tab)
