The accounts of 34,942 PayPal users were hacked between the 2nd and 6th of December 2022 by unauthorised parties through a credential stuffing attack. Hackers potentially gained access to customers’ personal data, including their name, address, date of birth, tax ID number, and social security number.
Credential stuffing attacks occur when hackers attempt various account usernames and password pairs that have leaked from various websites, prompting PayPal to urge customers to avoid password recycling and activate two-factor authentication on their accounts.
The security incident was filed in a notice by PayPal on January 18, and in a data breach notification with the Maine Attorney General, noting the nearly 35,000 people affected.
The company sent out a notification to all impacted users stating that “no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” and that the attackers no longer had access to the accounts by December 8th.
PayPal has provided victims of the data breach with free access to Equifax identity monitoring services for two years.
In 2022, PayPal spurred Apple users to swap passwords for passkeys, stating that passkeys are both more secure and easier to use for customers.