According to the PayPal notification of the security incident, an unauthorized party tried to access nearly 35, 000 PayPal user accounts. PayPal’s servers were not hacked; in fact, the reason for hacking was a ‘credential stuffing attack’ meaning that the attackers used a list of stolen usernames and passwords to try and gain access to these accounts, and were successful in accessing some of them.
This took place from December 6 to December 8, 2022. PayPal detected and mitigated it at moment. An internal investigation was launched to determine how the hackers gained access to the accounts.
Within two days, the hackers had access to account holders’ full names, dates of birth, mailing addresses, individual tax identification numbers, and social security numbers.
As of December 20, 2022, PayPal has closed its investigation and confirmed that the accounts were accessed by unauthorized third parties with valid credentials.
The popular online payments platform claims to have taken early steps to limit attackers’ access to the platform and reset passwords for accounts confirmed to have been compromised. The good news is that there was no successful transaction from the compromised PayPal accounts.
PayPal has notified its users to take steps to protect their accounts by using a unique and strong password for each account. They also advised their users to monitor their accounts for any suspicious activity and activate two-factor authentication, to prevent such unauthorized account access even after having a valid username and password. The affected users also get two free years of Equifax subscription, an identity monitoring service.
Make sure not to use the same credentials (email or username and password) for multiple accounts on various apps and websites. The hacker can potentially gain access to all of those accounts. That is why it is necessary to use a unique and strong password for each account and to avoid reusing the same password across multiple accounts.