 |
| PayPal confirms that thousands of its users accounts have been hacked |
PayPal has notified thousands of its customers that their accounts were compromised in an attack that exposed some personal information.
The company said the accounts were compromised in so-called credential stuffing attacks, which use previously compromised credentials to breach accounts on different websites and services that use the same password rather than the same system. These attacks target those who use the same password across multiple online accounts, known as "password recycling".
The online payment service said the credential stuffing attack took place between December 6 and 8 last year and is working to mitigate it, but it has also launched an internal investigation into how the hackers accessed the hijacked accounts.
On December 20, 2022, PayPal completed its investigation and confirmed that an unauthorized third party with valid credentials may have gained access to these accounts.
The company denies that its systems were hacked and there is no evidence that user credentials were stolen directly from its systems.
According to the data breach report published by PayPal, 34,942 users were affected by the incident. Over the course of two days, the hackers obtained the account holder's full name, date of birth, mailing address, social security number, and tax ID.
Hackers also gained access to transaction records, credit or debit card details, and PayPal billing details stored on the platform.
PayPal said it proactively prevented hackers from accessing the platform and reset passwords of accounts that were confirmed to have been compromised. The company said in the letter that the attackers did not attempt or fail to carry out any financial transactions from the hacked PayPal accounts.
"We have no information to indicate that your personal information was misused as a result of this incident or that unauthorized transactions were made on your account," the company said. "We're resetting passwords for affected PayPal accounts and implementing enhanced security checks that require you to create a new password the next time you sign in to your account," she added.
Affected users will receive two years of free identity monitoring from Equifax, and the company strongly recommends instructing recipients to change passwords for other online accounts with long, unique passwords. A good password is usually at least 12 characters long and contains letters, numbers, and symbols.
Additionally, PayPal recommends that users enable two-factor authentication protection in the account settings menu, which prevents unauthorized individuals from accessing accounts even if they have valid usernames and passwords.