- Nearly 35,000 PayPal accounts were accessed via a credential stuffing attack, exposing personal information including names, addresses, social security numbers, tax identification numbers, and dates of birth, the company said Wednesday.
- The financial services company said unauthorized parties accessed PayPal customer accounts between Dec. 6 and Dec. 8. PayPal discovered the breach on Dec. 20 and, in a data breach notification filed in Maine, said there is no evidence login credentials were obtained through any company systems.
- PayPal on Wednesday sent notices of the security incident to impacted customers, and emphasized the company has no evidence that personal information was misused as a result of the incident.
Credential stuffing is a persistent threat. The form of attack exploits valid credentials stolen during a breach or purchased on the dark web, often in bulk.
The damage from credential stuffing can multiply and flow downstream because many individuals reuse usernames and passwords across multiple accounts.
Cybercriminals are using proxies and configurations to mask and automate credential stuffing attacks targeting U.S. businesses, the FBI said in an August 2022 warning to private industry.
A PayPal spokesperson said the data incident, which has been resolved, affected a small number of customers. The company ended the third quarter of 2022 with 432 million active accounts, according to its earnings report.
“PayPal’s payment systems were not impacted, and no financial information was accessed. We have contacted affected customers directly to provide guidance on this matter to help them further protect their information,” the spokesperson said via email.
In the notice sent to impacted customers, the company said it proactively reset the passwords of affected accounts and implemented enhanced security controls, requiring users to establish a new password next time they login to their account.
“The security and privacy of our customers’ account information remains a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused,” the spokesperson said.