In large-scale credential stuffing attacks, PayPal accounts are breached

PayPal has sent out notification of data breaches to thousands users who were accessed by credential stuffing attacks, which exposed personal data.

Credential stuffing is an attack in which hackers try to gain access to accounts by using username-password pairs that they have gleaned from various data leaks.

This attack uses an automated approach where bots run lists of credentials that are “stuffed” into login portals to various services.

Password recycling is a form of credential stuffing that targets people who use the same password to multiple online accounts.

Nearly 35,000 people were impacted

PayPal claims that the credential-stuffing attack took place between December 6, 2022, and December 8, 2022. PayPal detected the issue and took immediate action to mitigate it. However, the company also initiated an internal investigation into how hackers gained access to accounts.

PayPal closed its investigation on December 20th, 2022. It confirmed that valid credentials were used by unauthorized parties to log into accounts.

This claim was made by the electronic payment platform and there is no evidence to suggest that user credentials were stolen directly from them.

According to PayPal’s data breach report, the incident affected 34,942 users. Hackers gained access to account holders’ full names, birth dates, addresses, social media numbers and tax identification numbers during the incident.

PayPal accounts also allow you to view transaction histories and details of connected debit or credit cards, as well as PayPal invoice data.

PayPal claims it has taken prompt action to restrict intruders’ access and to reset passwords for accounts that were confirmed as compromised.

The notification also claims that attackers did not attempt or manage to make any transaction from breached PayPal accounts.

“We do not have any evidence that your personal data was misappropriated as a consequence of this incident or that you are subject to any unauthorised transactions,” reads.

We reset passwords for affected PayPal accounts, and we implemented increased security controls that will require users to create a new password each time they log into their account. – PayPal

Equifax will provide a two-year free identity monitoring service to all users who are impacted.

It is strongly recommended that the recipients of notices change passwords to other online accounts by using a long and unique string. A good password should be at least 12 characters long, and include symbols and alphanumeric characters.

PayPal recommends that users activate 2-factor authentication (2FA), protection via the “Account Settings” menu. This can protect an account from being accessed by an unauthorised party, regardless of whether they possess a valid username or password.