Around 35,000 PayPal user accounts had been hacked using a method called "credential stuffing," resulting in exposed names and Social Security numbers. The attack involved automatically injecting login credentials that were found during previous data breaches.
The California-based payment platform sent a notice on the website of Maine's Office of the Attorney General. It also sent a letter, dated Jan. 19, about the data breach to its 34,942 impacted users.
"On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials. We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems," the letter read.
Based on the company's investigation, the unauthorized activity occurred between December 6 and December 8, 2022, when it eliminated access for unauthorized third parties, which it did not identify. During this time, the third parties were able to view and potentially acquire, some personal information for certain users, such as full names, dates of birth, Social Security numbers, addresses and tax identification numbers. (Related: WhatsApp HACKED: Nearly 500 million phone numbers from 84 countries and territories put up for sale.)
"If you detect any suspicious activity on an account, change the password and security questions immediately, and promptly notify the company where the account is maintained," PayPal stated and suggested to ass additional security features including enabling the "two-step verification" in the account settings.
"When links are present in an email, individuals should hover [their] mouse over the links to view the actual destination URL and should not click on the link if [they] are unsure of the destination URL or website," the firm also suggested.
On their end, PayPal said it has reset passwords and affected users will also get free identity monitoring services from Equifax, a consumer credit reporting company.
Meanwhile, the finance company said the website and its payment systems were not hacked.
“PayPal's payment systems were not impacted, and no financial information was accessed. We have contacted affected customers directly to provide guidance on this matter to help them further protect their information. The security and privacy of our customers' account information [remain] a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused," it said.
Passwords are stolen due to previous hacking incidents
Sam Curry, chief security officer at Cybereason, passwords of a large number of users are stolen because of previous hacks. "The hackers were able to brute slam PayPal accounts with these until they found 35,000 matches," Curry said.
Jasson Casey, the chief technology officer at Beyond Identity, said that if a threat actor can access legitimate credentials, even if they’re dumped in a dark-web repository, "they are only a few short, and in most cases, automated steps away from a successful intrusion,"
PCMag's Michael Kan said victims should still always be on guard. He added that the incident is also a reminder to use unique, hard-to-guess passwords on your most important login accounts. "You should also activate the account’s two-factor authentication, which can make it harder for hackers to break in even if they successfully obtained your password," Kan added.
Visit CyberWar.news for more stories like this.
Watch the video below that talks about the Spain hacking scandal that involved the mobile phones of the nation's prime minister and defense minister.
This video is from the American Media Periscope channel on Brighteon.com.
More related stories:
PayPal quietly reinserts $2,500 fine into user policy for those accused of pushing 'misinformation.'
Sources include:
Please contact us for more information.