Around 35,000 accounts are affected. Unknown persons capture names, addresses and social security numbers, but no financial data. The trigger is a credential stuffing attack.
Unknown persons have captured social security numbers and other confidential data of 35,000 PayPal users. The payment service provider said it was the victim of a credential-stuffing attack. The incident occurred between December 6 and 8, 2022 – it was discovered on December 20.
According to a notification to the responsible regulatory authority of the US state of Maine, user names, addresses, dates of birth and individual tax numbers were compromised in addition to social security numbers. However, there was no evidence of access to financial data or misuse of customer accounts, PayPal added. The payment system was also not affected, it said
PayPal resets passwords of affected accounts
The company told CNET that affected customers had already been notified. The passwords of all affected accounts had also been reset – customers would have to enter a new password the next time they logged in. Those affected are also being offered a free identity theft protection service by PayPal for two years.
In a credential stuffing attack, cybercriminals try to hijack as many accounts of a service provider as possible with already leaked combinations of usernames and passwords. Security experts recommend configuring a two-step login as protection against these attacks. In addition to hardware security keys, PayPal also supports third-party authentication apps and the sending of codes via SMS.