>
PayPal has warned some of its customers that their accounts have been breached and some sensitive data has been compromised.
In his report (opens in new tab), the company confirmed that on December 20, 2022, an unauthorized third party gained access to a number of PayPal accounts. Further investigation revealed that whoever was behind the attack accessed the accounts between December 6 and December 8, 2022.
“During this time, the unauthorized third parties were able to view and potentially obtain certain personal information of certain PayPal users,” the warning reads. That data includes usernames, addresses, social security numbers, individual tax identification numbers and/or dates of birth.
No evidence of abuse
PayPal hasn’t explained exactly how the attackers gained access to these accounts, other than saying there’s “no evidence” that the credentials were pulled from the company’s systems.
Beeping computer reports that the breach is the result of credential stuffing, a type of attack in which hackers “stuff” the login page with numerous credentials taken elsewhere until one finally works.
This method relies on people using the same passwords for multiple services, so that if one is breached, they’re all at risk. The same report also claims that 34,942 accounts were compromised and that transaction history, linked credit or debit card information, and PayPal billing information were also likely accessed.
What the hackers will do with the data obtained in the attack remains to be seen. At this point, PayPal doesn’t have any proof that the data has been misused, but it’s safe to assume it will be used in identity theft (opens in new tab)phishing or other forms of social engineering attacks.
To protect its users, PayPal has reset passwords for affected users and “enhanced security controls” requiring users to create a new account on their next login. Users also received free identity verification services through Equifax for a year.
Through: Beeping computer (opens in new tab)