PayPal sends data breach notifications to thousands of users whose accounts were accessed via credential stuffing attacks that exposed certain personal data.

Credential stuffing is an attack in which hackers attempt to gain access to an account by trying username and password pairs from data leaks on various websites.

This type of attack relies on a automated approach with bots running lists of credentials to “provide” into login portals for various services.

Credential stuffing targets users who use the same password for multiple online accounts, known as “password recycling”.

Nearly 35,000 users impacted

PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time, but also launched an internal investigation to find out how the hackers obtained access to accounts.

On December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials.

The e-payment platform claims this was not due to a breach of its systems and has no evidence that the user’s credentials were obtained directly from them.

According to PayPal’s data breach report, 34,942 of its users were affected by the incident. During the two days, the hackers had access to the full names, dates of birth, mailing addresses, social security numbers and tax identification numbers of the account holders.

Transaction histories, details of connected credit or debit cards and PayPal billing data are also accessible on PayPal accounts.

PayPal says it took timely action to limit intruders’ access to the platform and reset passwords for accounts confirmed to have been hacked.

Additionally, the notification claims that the attackers did not attempt or fail to transact from the hacked PayPal accounts.

“We have no information to suggest that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” it read. Notice from PayPal to affected users.

Affected users will receive a free two-year identity monitoring service from Equifax.

The Company strongly recommends that notification recipients change the passwords of other online accounts to a unique, long string. Typically, a good password is at least 12 characters long and includes alphanumeric characters and symbols.

Additionally, PayPal advises users to enable two-factor authentication (2FA) protection from the “Account Settings” menu, which can prevent an unauthorized party from accessing an account, even if they have a valid username and password.