© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

PayPal confirms data breach


Thousands of customers are being notified their PayPal accounts were accessed by hackers during a credential stuffing breach this past December.

According to the California-based fintech giant, the breach occurred sometime between December 6 and December 8.

PayPal responded to Cybernews with this official statement:

“Earlier in December, our security team identified and resolved a data incident that affected a small number of PayPal customer accounts. PayPal’s payment systems were not impacted, and no financial information was accessed. We have contacted affected customers directly to provide guidance on this matter to help them further protect their information. The security and privacy of our customers’ account information remains a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused,” - PayPal said.

The breach was not discovered until almost two weeks later, on December 20.

“During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users,” the data breach notification states.

Investigators say an unknown third party was able to gain access to the personal accounts using a hacking technique known as credential stuffing.

There is no information suggesting “any personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” according to the notice.

Credential stuffing is when hackers use automated bots to “stuff” already compromised usernames and passwords – most likely stolen or bought off the dark web – into the login page of the targeted system, hoping to get a hit.

Investigators say the acquired login credentials were not taken from any PayPal systems.

“Credential stuffing attacks illustrate a hard truth that many organizations have yet to accept - you can't have effective security if you are still using passwords,” said Jasson Casey, CTO at Beyond Identity, a firm specializing in passwordless identity management.

“Passwords - whether unique or complex - are fundamentally flawed,” said Casey. “More than 80% of data breaches are the direct result of passwords, with threat actors deploying compromised credentials in the first phase of their attack.”

Affected accounts had their passwords automatically reset by the company.

PayPal urged customers to change the passwords for any account using the same login credentials as their PayPal account, and most importantly to enable 2-step verification on their account.

“This type of breach demonstrates the importance for users to enable 2FA (two-factor authentication) AND not reuse passwords. This would have been avoided if PayPal had enforced the utilization of 2FA for all of its users.” said Gil Dabah, co-founder and CEO of data protection and privacy engineering firm Piiano.

“Although 2FA is less convenient for users since they need to approve their login using their mobile phone, it is highly recommended to use it, especially when a logged-in user can perform financial transactions, ” said Dabah.

Personally identifiable information (PII) possibly exposed in the attack included names, addresses, Social Security numbers, individual tax identification numbers, and/or date of birth.

California’s breach notification laws require a privately held company to disclose a breach “in the most expedient time possible and without unreasonable delay,” unless advised by law enforcement otherwise.

PayPal stated law enforcement investigations had no impact on the notification process.


More from Cybernews:

Tech totalitarianism: are we close to the point of no return?

Mass layoffs in tech potential cybersecurity risk

Ukraine blames Sandworm for wiper attack on news agency

US cracks down on crypto business laundering money for Russian criminals

FTX admits $400m hack but declares $5.5bn in digital assets

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked