PayPal has suffered a hacker attack and apparently in these hours is sending data breach notifications to thousands of users victims of what in jargon are called credential stuffing attacks. The fact dates back to last month, but only now the company is making it known.
For those who have never heard of them, they are the type of attacks in which hackers try to access an account by trying pairs of usernames and passwords recovered from data theft on various websites and are based on an automated approach with bots that run lists of credentials to be “entered” into access portals for various services. Credential stuffing attacks target users using the same password for multiple online accounts, a phenomenon known as “password recycling.”
PayPal explains that the credential stuffing attack took place between December 6 and 8, 2022. The company detected and mitigated this at the time, but also launched an internal investigation to find out how the hackers gained access to the accounts. Already by December 20, 2022, PayPal concluded its investigation, confirming that unauthorized parties have logged into accounts with valid credentials.
The electronic payments platform says it was not the result of a breach of its systems, or at least, it does not have proof. According to PayPal’s data breach report, 34,942 of its users were affected by the theft. During the two days, hackers gained access to the full names, dates of birth, mailing addresses, social security numbers, and individual tax identification numbers of the accounts. Transaction histories, linked credit or debit card details, and PayPal billing information are also accessible on PayPal accounts.
The company says it has taken timely steps to restrict intruders’ access to the platform and has reset the passwords of accounts confirmed as hacked. In addition, PayPal states that the attackers did not attempt or fail to transact from the PayPal hacked accounts.
The company strongly recommends that recipients of communications change passwords for other online accounts using a unique and long string. Typically, a good password is at least 12 characters long and includes alphanumeric characters and symbols. In addition, PayPal advises users to turn on two-factor authentication (2FA) protection from the “Account Settings” menu, which can prevent an unauthorized party from accessing an account, even if they have a valid username and password.