PayPal says the accounts were accessed by unauthorized parties who were able to guess user credentials, most likely by utilizing massive data leaks from other sites. It highlights the dangers that come from people re-using their login username/password combinations across multiple websites. Password recycling is still concerningly common and can be avoided by using a good password manager. This type of attack gets its name from the bots that run lists of credentials into sites, stuffing login portals until they gain access. PayPal says the attack took place between December 6 and December 8, 2022, affecting 34,942 customers. The company stresses that the incident was not due to a breach of its own systems and there is no evidence that the user credentials were stolen from any PayPal systems.
The accessed information included customers’ names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth. PayPal said it has no information that any of this data has been misused. Notably, there’s no evidence of unauthorized payment transactions on the breached accounts. PayPal said it promptly launched an investigation once the unauthorized access was discovered. It also took steps to prevent further customer information, likely payment and account details, from being stolen. The company reset the passwords of impacted accounts and “implemented enhanced security controls.” These incidents usually involve the victim company informing law enforcement, but The Reg reports that PayPal has not involved the police. The publication asked PayPal why but it never answered. PayPal says it will offer customers two years of identity monitoring from Equifax, a company that is no stranger to data breaches (and once sent out incorrect credit scores). The payments giant also advises impacted users to activate two-factor authentication (2FA) protection on their accounts and change any recycled PayPal credentials used on other websites or services.