PayPal confirms data breach, sends user warning emails
PayPal has issued warnings to some of its customers that their accounts have been compromised and some sensitive data has been compromised.
In it report (opens in a new tab), the company has confirmed that on December 20, 2022, a third party gained unauthorized access to several PayPal accounts. Further investigation discovered that the person behind the attack accessed the accounts between December 6 and December 8, 2022.
“During this time, unauthorized third parties may be able to view and potentially obtain certain personal information of certain PayPal users,” the warning reads. That data includes the user’s name, address, Social Security number, personal tax identification number, and/or date of birth.
No evidence of abuse
PayPal did not explain exactly how the attackers managed to gain access to these accounts, other than claiming that there was “no evidence” that the login information had been obtained from the company’s systems.
BleepingComputer reported that the breach was the result of credential stuffing, a type of attack in which hackers “stuff” a login page with multiple credentials obtained elsewhere until a final page is reached. work.
This method relies on people using the same password across multiple services so that if one service is breached, all are at risk. The same report also claimed 34,942 accounts were compromised and that transaction history, connected credit or debit card details, and PayPal invoice data were also likely accessed.
What hackers will do with the data obtained in the attack remains to be seen. Currently, PayPal does not have any evidence that the data has been misused, but can be sure that it will be used in the future. identity theft (opens in a new tab)phishing or other forms of social engineering attack.
To protect its users, PayPal has reset passwords for affected users and “advanced security controls” that require users to set up a new account the next time they log in. In addition, users were offered a free one-year identity monitoring service through Equifax.
Via: BleepingComputer (opens in a new tab)