Helping to share the web since 1996

Paypal Security Breach: Thousands of Accounts Compromised

PayPal suffered a hack attack and the company is sending notifications to thousands of users who have fallen victim to this credential stuffing attack. The facts date back to last December, but the company is only now making this situation known. For those who have never heard of it, this is a type of attack in which hackers try to access an account by trying pairs of usernames and passwords that were obtained through theft of data on various sites, and are based on an automated approach with bots that run lists of credentials to “push” login portals to various services.

Credential stuffing attacks target users who use the same password for multiple online accounts, a phenomenon known as “password recycling”. However, PayPal explains that the credential stuffing attack happened between December 6th and 8th, 2022.

The payment platform says that it was not the result of a breach of its systems or, at least, it has no evidence to point to this. According to PayPal’s data breach report, 34942 user accounts were affected by this. Over the course of two days, hackers gained access to full account names, dates of birth, mailing addresses, social security numbers and individual tax identification numbers, transaction histories, associated credit or debit card details, and PayPal billing.

The company says it took immediate steps to limit intruders’ access to the platform and reset passwords for accounts confirmed as hacked. Furthermore, the company says that the attackers did not attempt, or failed, to transact with the hacked accounts.

The company strongly recommends that recipients of communications change their passwords for other online accounts to a unique, long string. Typically, a good password is at least 12 characters long and includes alphanumeric characters and symbols. In addition, PayPal recommends that users enable Two-Factor Authentication (2FA) protection in the “Account Settings” menu, which can prevent unauthorized third parties from accessing an account even if they have a username and password. valid.



Back to news headlines