Nearly 35,000 PayPal user accounts have been breached by so-called “credential stuffing”. PayPal managed to stop the two-day intrusion and reset the affected users’ passwords.
In fact, PayPal’s own servers weren’t hacked. The reason for the hack was the so-called “credential stuffing”, a technique the hackers used to gain access to the user accounts. This type of attack is when a hacker uses previously leaked login info – and if the user has reused it for their PayPal account, the hacker can get access.
The intrusion reportedly lasted two days, between December 6 and December 8, 2022, and it affected 34,942 user accounts. It is possible that the hackers were able to access a significant amount of personal information for the affected users, including full names, birth dates, postal addresses, social security numbers, and individual tax identification numbers. On top of that, hackers had access to transaction histories, connected credit and debit card details, and PayPal invoicing data.
However, PayPal was able to stop the attack and reset the passwords for the users so the hackers would lose access. The popular online payments platform reassures that no unauthorized transactions were attempted. The affected users also get two free years of credit monitoring from Equifax.
All in all, this could have become a very bad situation if the hackers were trying to make transactions from the affected users’ accounts. Fortunately, this didn’t happen. The entire situation shows that not reusing the same password across platforms (especially PayPal or other payment platforms) is of primary importance.
Basically, PayPal wasn’t hacked; so if the users had not reused passwords, they wouldn’t have been hacked either. So, better not to reuse passwords. If you’re having trouble remembering all your passwords, you can use a service like 1Password or other password managers. Also, you can benefit from PayPal’s two-factor authentication for an even tighter security of your account.