PayPal suffered a massive breach in December and has alerted the nearly 35,000 potentially affected customers with a notice that explains the situation and what customers must do to keep their account safe. The information that was leaked includes extremely personal data which could put users’ identities at risk.
“We confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials,” PayPal said in its letter to customers. “We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.
“There is also no evidence that your login credentials were obtained from any PayPal systems. Based on PayPal’s investigation to date, we believe that this unauthorized activity occurred between December 6, 2022, and December 8, 2022, when we eliminated access for unauthorized third parties. During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users.”
PayPal said the malicious parties may have obtained customers’ name, address, Social Security number, individual tax identification number, and/or date of birth.”
It was reported that the information was obtained in a credential stuffing attack — which is when threat actors obtain leaked usernames and passwords, and try to force their way into other websites with them. Hackers might attempt to use your username and password on hundreds of websites, looking for any vulnerabilities.
It’s highly recommended (for anyone) to not reuse passwords and if you notice any suspicious activity on your PayPal, change your password and security questions. You can also enable two-factor authentication (2FA) to further protect your account.
PayPal swiftly reacted to the threat.
“We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you login to your account,” PayPal said. “We have also secured the services of Equifax to provide identity monitoring services at no cost to you for two years.
“Users were also given the option to get two free years of identity monitoring from Equifax, a massive credit monitoring company — provided they created an account with Equifax.”