PayPal sent notifications to all the affected accounts asking them to change their passwords. PayPal said that there had been no breach in their systems.
One of the world’s largest online payment services platforms PayPal faced a major breach of data last month between December 6 and December 8, 2022. As per reports, the hackers got away with the sensitive information of 34,942 accounts.
PayPal noted that the data included the Name, address, personal tax identification numbers, social security number, and date of birth, of the compromised accounts. The company has already started sending notifications to all the compromised accounts while blaming a credential-stuffing attack for the breach.
In a recent notification sent this Wednesday, PayPal noted:
“On December 20, 2022, we confirmed that unauthorized parties were able to access your Paypal customer account using your login credentials”.
After learning about the new data breach on December 8, PayPal stopped the unauthorized access and started an investigation immediately. PayPal quickly reset the passwords of the affected accounts and “implemented enhanced security controls” that would require the affected accounts to set up a new password.
“We have no information suggesting that any of your personal information was misused due to this incident or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems,” noted PayPal.
PayPal Claims No Breach In Systems
As the hackers gained unauthorized access to user accounts and their valid credentials, PayPal said that there was no breach in their systems. It noted that there’s no evidence that suggests that the users’ credentials were directly bought from them.
Instead, the hackers were able to access the accounts using credentials stuffing. This method involves trying several pairs of usernames and passwords sourced from data leaks, on various websites. Using bots, the list of credentials is inserted into their login portals of different services.
Users that use the same password for different online accounts are most-prone to becoming the victim of credential-stuffing attacks. As said, payments giant PayPal claims to have taken quick action in order to limit the hacker’s access to the platform and reset the passwords of the affected accounts. Besides, all the impacted users shall receive a two-year identity-monitoring service from Equifax for free.
PayPal also mentioned that the attackers didn’t manage to perform any transactions from the breached accounts. To prevent from becoming the victims of future hacks, users are advised to implement two-factor authentication (2FA) security features at their end.
Bhushan is a FinTech enthusiast and holds a good flair in understanding financial markets. His interest in economics and finance draw his attention towards the new emerging Blockchain Technology and Cryptocurrency markets. He is continuously in a learning process and keeps himself motivated by sharing his acquired knowledge. In free time he reads thriller fictions novels and sometimes explore his culinary skills.