Nearly 35,000 PayPal customers were the victim of a credential stuffing attack where threat actors got access to their personal and financial information. This text shares details about the attack, what actually happened, how PayPal handled the case, what the organization is doing for the affected customers, and how you can protect your PayPal accounts and data.

PayPal has sent out a recent data breach notification to thousands worldwide, informing them of a credential stuffing attack the enterprise suffered where the threat actors were able to conduct large-scale credential stuffing attacks that have exposed the personal data of nearly 35,000 PayPal customers. Here’s a comprehensive look into the incident covering how and when the cyberattack occurred and what customers can do to protect their accounts.


The PayPal Credential Stuffing Attack at a Glance

PayPal confirmed that threat actors were able to access PayPal customer accounts on 20 December of last year by utilizing legitimate login credentials.

PayPal initially outlined that the organization had no information that suggested the misuse of personal information due to the cyberattack and stated, “There is also no evidence that your login credentials were obtained from any PayPal systems.”

However, based on the investigation that the organization has carried out to date, they have found many details regarding the cyberattack. The threat actors breached PayPal’s systems between 6 December 2022 and 8 December 2022, during which time the threat actors viewed and potentially acquired the personal information of PayPal’s customers.


What Data did the Threat Actors Access?

Claiming that the cyberattack was not due to a breach in its systems, PayPal has revealed that 34,942 of its customers have been impacted by the incident, during which the threat actors had access to the personal information of these users and could have made away with the sensitive information.


sensitive data hacking


The information that the threat actors had access to includes full names, dates of birth, postal addresses, individual tax identification numbers, and social security numbers, all of which are crucial information meant to be kept private, which threat actors can use for malicious purposes. Apart from this, the threat actors also had access to connected credit and debit card details, transaction histories of the customers, and PayPal invoicing data.


What is PayPal Doing for Affected Customers?

PayPal was prompt in its approach and, upon discovering the data breach, leaped into action, beginning its investigation into the cyberattack and resetting the passwords of all affected PayPal accounts to prevent threat actor access to these and the personal and financial information contained within said accounts.

Furthermore, PayPal implemented enhanced security controls to require the affected customers to establish a new password at the following account login so the threat actors would be at bay.

On the other hand, PayPal secured Equifax to provide identity monitoring services to its affected customers at no extra costs for the next two years and also provided information on how customers can avail of these. The Equifax identity monitoring will enable the affected customers to:

  • Get annual access to their credit report from all 3-bureaus and their VantageScore credit scores.
  • Check their Equifax credit report daily and receive updates on their 1-bureau VantageScore credit score.
  • Monitor their credit with notifications for critical changes to their credit reports from all 3-bureaus.
  • Receive WebScan alerts if their personal information, such as Social Security Number, credit/debit card, or bank account numbers, are found on fraudulent websites.
  • Enjoy automatic fraud alerts, blocked inquiry alerts, and the ability to lock their Equifax credit report to help protect against identity theft.
  • Receive Identity Restoration assistance to help restore their identity should they become a victim of identity theft, with a dedicated specialist working on their behalf.
  • Benefit from up to $1,000,000 of identity theft insurance coverage for certain out-of-pocket expenses resulting from identity theft.
  • Get Lost Wallet Assistance if their wallet is lost or stolen, and one-stop assistance in canceling and reissuing credit, debit, and personal identification cards.



What can Customers do to Protect their Accounts and Information?

PayPal has taken steps to ensure the accounts are protected. Still, the customers must ensure that they are not breached again, and that threat actors do not leverage the stolen information in social engineering attacks. The affected customers need to:


data protection tips


  1. Change Passwords: Change your passwords immediately, using a strong and unique password for each account. Password recycling (Using the same password for different accounts) can open you up to malicious targeting and compromise more accounts, which is why you need to change passwords on other websites and applications, too, if you use the same one.
  1. Enable Two-Factor Authentication: Enable two-factor authentication (2FA) on your PayPal accounts by navigating to the “Account Settings” menu. 2FA can offer enhanced protection by preventing unauthorized access to the accounts by requiring additional biometrics or PINs at login.
  1. Monitor Accounts: Monitor your accounts for suspicious activity and report any unauthorized access to the relevant service provider. With the Equifax benefits that PayPal is providing to affected customers, this should be an easy one. You can also go for an online protection service, but be sure to be using the best service to protect your identity online.
  1. Be Cautious of Phishing: Be cautious of phishing attempts, which may try to trick them into revealing personal information or login credentials. Threat actors may utilize the stolen personal information to target you in spear phishing attacks or use your information to target others. If you receive any unsolicited emails with telltale phishing signs, you need to stay protected.
  1. Use a Password Manager: Use a password manager to generate and store strong, unique passwords for each account. Password managers can keep your passwords safe and generate long strings of passwords that are tough to break.
  1. Keep Software Updated: Keep the software and apps on all your devices updated. Software updates contain security and app upgrades that can keep your devices free from malware or spyware that the threat actors may try to drop using emails.
  1. Use Reliable Anti-Virus and Anti-Malware: Use reliable anti-virus and anti-malware software to protect your devices from malicious software. Anti-virus software can also scan and flag suspicious emails to provide you with protection.


Final Words

The recent PayPal credential stuffing attack is a reminder of the significance of protection from phishing and the need for individuals and businesses to take proactive measures to protect their accounts and personal information.

The attack, which affected nearly 35,000 accounts, highlights the potential risks associated with using the same login credentials across multiple accounts and the importance of using strong, unique passwords and enabling 2FA to thwart cyberattacks.

It also emphasizes the need for businesses to implement robust security measures to protect against these types of attacks, as cybersecurity is not achieved by the organization or its customers but is a collective effort of the two at a unit level.


email phishing protection


Moving forward, individuals should be vigilant, monitor their accounts for suspicious activity, and immediately report any unauthorized access to PayPal or other service providers. It is essential to be cautious of phishing attempts and to use reliable anti-virus and anti-malware software to protect devices from malware and other malicious software.