The unauthorized parties used login credentials to access PayPal user accounts, according to a PayPal notification of a security incident.
Between December 6 and December 8, 2022, hackers gained unauthorized access to the accounts of thousands of individuals. A total of 34,942 accounts were reportedly accessed by threat actors employing a ‘credential stuffing attack’.
Attacks called “credential stuffing” include trying different username and password combinations obtained from data leaks on numerous websites in an effort to get access to an account.
Since many users use the same password and username/email repeatedly, submitting those sets of stolen credentials to dozens or hundreds of other websites can enable an attacker to compromise those accounts as well. This can happen when those credentials are exposed (by a data breach or phishing attack).
“The unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users”, reads the PayPal notice of security incident.
According to PayPal, the personal information that was leaked may have included name, address, Social Security number, individual tax identification number, and/or date of birth.
On December 20, 2022, PayPal confirms that a third party used the login information to access the PayPal customer account.
The firm identified it at the time and took steps to mitigate it, but it also launched an internal investigation to determine how the hackers gained access to the accounts.
The electronic payment system states that there was no system breach, and there is no proof that the user credentials were taken directly from the users.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.”
“There is also no evidence that your login credentials were obtained from any PayPal systems”, PayPal.
PayPal is giving impacted customers free access for two years to Equifax’s identity monitoring services.
“We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account”, PayPal noted.
Protect Yourself
Network Security Checklist – Download Free E-Book
Leave a Reply