By Jack Phillips
Some 35,000 PayPal user accounts have been hacked by “credential stuffing,” resulting in exposed names and Social Security numbers, according to a notification posted on a government website.
Through its lawyers, the California-based payment processor sent a notice to Maine’s attorney general. The company also sent a letter, dated Jan. 19, about the data breach to impacted users.
That letter said that the accounts were breached sometime between Dec. 6 and Dec. 8, 2022. The company said that it was able to deal with the attack soon after it occurred, according to the letter.
The notification to users said (pdf) that 34,942 users were impacted by the incident and that unauthorized third parties gained access to their accounts. Those third parties, which were not identified, could view full names, dates of birth, Social Security numbers, addresses, and tax identification numbers.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” said PayPal’s letter.
Specifically, the hackers used a “credential stuffing” attack that involves automatically injecting login credentials that were found during previous data breaches.
“If you detect any suspicious activity on an account, change the password and security questions immediately, and promptly notify the company where the account is maintained,” PayPal said. “You may also add additional security for your PayPal account by enabling ‘2-step verification’ in your Account Settings. When links are present in an email, individuals should hover their mouse over the links to view the actual destination URL and should not click on the link if they are unsure of the destination URL or website.”
Furthermore, the company said it has reset passwords on the afflicted PayPal accounts. Impacted users will also get free identity monitoring services from Equifax, the consumer credit reporting company.
In a statement to PCMag, the company maintained that it was only a “small number of PayPal customer accounts” that were impacted by the breach. The Epoch Times has contacted PayPal for comment. It noted that neither its website nor its systems were hacked.
“PayPal’s payment systems were not impacted, and no financial information was accessed,” the firm said. “We have contacted affected customers directly to provide guidance on this matter to help them further protect their information. The security and privacy of our customers’ account information remain a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused.”
Sam Curry, the chief security officer at Cybereason, told Forbes magazine that what happened was that previous hacks “led to a large population’s passwords in use elsewhere being stolen, and because people often reuse passwords and have done so for a long time.” Elaborating, he added that “the hackers were able to brute slam PayPal accounts with these until they found 35,000 matches.”
“If a threat actor can access legitimate credentials–even if they’re dumped in a dark-web repository–they are only a few short, and in most cases, automated steps away from a successful intrusion,” Jasson Casey, the chief technology officer at Beyond Identity, told HackRead.
The security breach comes just days after T-Mobile confirmed an unidentified malicious intruder breached its network in late November 2022 and stole data on 37 million customers, according to a regulatory filing with the U.S. Securities and Exchange Commission.
T-Mobile said that the data breach was found on Jan. 5, adding that data exposed to the theft did not include critical information such as PINs, bank account numbers, credit card information, Social Security numbers, or government identification numbers. Instead, addresses, phone numbers, and dates of birth were accessed, the filing said.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time,” T-Mobile said, adding that the data was first accessed around Nov. 25, 2022, but wasn’t discovered until weeks later.