Curious to relate, large-scale leak was not the fault of the service.
PayPal sends massive data breach notifications. As a result of a hacker attack, the personal data of many users fell into the hands of intruders.
PayPal says the attack took place between December 6 and 8, 2022. The company quickly discovered it and took appropriate action, but also launched an internal investigation to find out how the hackers gained access to the accounts.
On December 20, PayPal completed its investigation and confirmed that unauthorized third parties were indeed logged into the compromised accounts, but this was not at all due to a vulnerability in the PayPal platform.
The group responsible for the hack used the “credential stuffing” method, in which special software simply sorts through combinations of credentials obtained by attackers during previous leaks. In other words, logins/passwords could have been leaked from a completely different service and for a very long time, but successfully used for authorization in PayPal accounts. It was possible to steal personal information only from those accounts that were not protected by two-factor authentication.
According to the company's report, the incident affected about 35,000 users. Within two days, the hackers had access to the following data of users of the service: full name, date of birth, postal address, social security number, individual taxpayer identification number, transaction history, data of connected cards and PayPal billing data.
The company says it has taken timely action to limit attackers' access to the platform and reset passwords for accounts that have been compromised. The company also claims that the attackers did not attempt or fail to conduct any transactions from the hacked PayPal accounts.
“We have no information to suggest that any of your personal data was misused as a result of this incident, or that any unauthorized transactions took place on your account,” PayPal said in a message to affected users.
“We have reset the passwords of vulnerable PayPal accounts and have implemented advanced security controls that will require you to set a new password the next time you log into your account,” the company warned.
PayPal also strongly advised users who received a hack notification to enable two-factor authentication (2FA) in the Account Settings menu. This can prevent attackers from gaining access, even if they have all the login information. The company also recommended changing passwords for other online accounts so that the situation does not happen again with them.