PayPal claims that this was not a result of a breach in its systems, since no evidence suggests that the user credentials were obtained directly from them.
On Thursday, January 19th, 2023, PayPal began contacting nearly 35,000 users with a data breach notification, explaining that their accounts had been hacked between December 6th and 8th, 2022.
The company was able to detect and mitigate the attack as soon as it occurred, but the conclusive investigation was not finished until December 20th, 2022. At this point, they confirmed that the hackers had gained unauthorized access to the accounts using valid credentials.
PayPal claims that this was not a result of a breach in its systems, since no evidence suggests that the user credentials were obtained directly from them.
The hackers were able to access the accounts by using credential stuffing, whereby pairs of usernames and passwords sourced from data leaks are tried on various websites. With the help of bots, lists of credentials are inserted into login portals for various services. Users who employ the same password for multiple online accounts, known as password recycling, are most prone to credential-stuffing attacks.
According to the data breach notification by PayPal, 34,942 users have been affected by the incident. While unauthorized third parties had access to the accounts, they could view the following information about the account holders:
- Full names
- Dates of birth
- Postal addresses
- Social security numbers
- Individual tax identification
According to Bleeping Computer’s report, transaction histories, connected credit or debit card details, and PayPal invoicing data are all accessible through the accounts, as well.
PayPal claims to have taken quick action to limit the hackers’ access to the platform by resetting the passwords of all the affected accounts. Impacted users will receive a free, two-year identity monitoring service from Equifax.
PayPal further confirmed that the attackers did not attempt or manage to perform any transactions from the breached accounts.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.”
– PayPal
In a conversation with Hackread.com, Jasson Casey, CTO at Beyond Identity said that “It’s no wonder the Verizon Data Breach Report 2022 found credentials were the most likely form of data to be compromised in both the US (66%) and EMEA (67%).
“If a threat actor can access legitimate credentials – even if they’re dumped in a dark web repository – they are only a few short, and in most cases, automated steps away from a successful intrusion,” Jasson added.
The CTO praised PayPal for its quick response and for mitigating the attack, but questioned whether merely changing passwords is the solution. “In this incident, the company is doing the best it can for its customers – strongly recommending they change their passwords. But passwords – whether unique or complex – are fundamentally flawed. More than 80% of data breaches are the direct result of passwords, with threat actors deploying compromised credentials in the first phase of their attack,” Jasson said.
How to secure your PayPal account
PayPal accounts are a great way to shop online and make payments, but this incident highlights the fact that they can also be vulnerable to hackers. It is important that PayPal users take steps to protect their accounts and personal information from potential theft.
To prevent unauthorized access, it is essential that PayPal users create a strong password with at least 8 characters and include a mix of numbers, symbols, upper-case letters, and lower-case letters.
It’s also recommended that users change the password periodically. Additionally, two-factor authentication (2FA) should be enabled on the account so that any suspicious activity will have an extra layer of security before it can be completed. Finally, users should check their accounts regularly for unusual activity or unauthorized transactions.
Using these tips can help ensure your PayPal account remains secure against potential threats or breaches.