PayPal sent notifications to all affected accounts asking them to change their passwords. PayPal said there had been no breach in its systems.
One of the world’s largest online payment service platforms, PayPal, faced a major data breach last month between December 6-8, 2022. Hackers reportedly got away with the sensitive information of 34,942 accounts.
PayPal noted that the data included the name, address, personal tax identification numbers, social security number and date of birth of the compromised accounts. The company has already started sending notifications to all compromised accounts and blamed a credential stuffing attack for the breach.
In a recent notification sent this Wednesday, PayPal noted:
“On December 20, 2022, we confirmed that unauthorized persons were able to access your Paypal customer account using your login credentials.”
After learning of the new data breach on December 8, PayPal stopped the unauthorized access and immediately launched an investigation. PayPal promptly reset the passwords for the affected accounts and “implemented enhanced security controls” that would require affected accounts to set a new password.
“We have no information to suggest that your personal information has been misused due to this incident or that there are unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal system,” PayPal noted.
PayPal affirms that there is no violation of the systems
Because the hackers gained unauthorized access to user accounts and their valid credentials, PayPal said there was no breach in its systems. He noted that there is no evidence to suggest that the users’ credentials were purchased directly from them.
Instead, the hackers were able to access the accounts through credential stuffing. This method involves testing various pairs of usernames and passwords from data breaches on various websites. Using bots, the list of credentials is pushed to your login portals of different services.
Users who use the same password for different online accounts are the most likely to become victims of credential stuffing attacks. As said, the payment giant PayPal claims to have taken swift action to limit the hacker’s access to the platform and to reset the passwords of the affected accounts. Additionally, all affected users will receive a two-year identity monitoring service from Equifax free of charge.
PayPal also mentioned that the attackers were unable to make any transactions from the breached accounts. To avoid becoming a victim of future attacks, users are encouraged to implement two-factor authentication (2FA) security features on their endpoint.
next
Bhushan is a FinTech enthusiast and has a good knack for understanding financial markets. His interest in economics and finance draws his attention to the new emerging markets of Blockchain technology and cryptocurrencies. He is continuously in a learning process and stays motivated by sharing the knowledge he has acquired. In his spare time, he reads thrillers and sometimes explores his culinary skills.