PayPal sends notifications to thousands of users to warn them of data breaches caused by accessing their accounts through credential stuffing attacks. To explain the attack more clearly, malicious actors tested username and password combinations obtained from other data breaches, and it is the case that there are many people who end up reusing the same password in different services.

Manually performing attacks by obtaining credentials to test against various services would be cumbersome attackers often use automated access with bots running credential lists to fill out service access forms.

PayPal explains it the credential stuffing attack occurred between December 6 and 8, 2022 and that he took action as soon as he found out. But the company didn’t stop there, it also conducted an internal investigation to find out how the attackers gained user credentials and corresponding access to their accounts.

The payment intermediary closed its investigation on December 20, 2022, concluding that unauthorized third parties were able to gain access with valid credentials. On the other hand, it also said that it has not detected any breach in its systems and has no evidence that credentials were obtained from its databases.

A report released by PayPal regarding the data breach states that a total of 34,942 users were affected. During the two-day attack, malicious actors were able to gain access to data such as full names, dates of birth, mailing addresses, social security numbers, account holder tax identification numbers, transaction history, credit or debit card information, and PayPal. billing information.

To end the attack, PayPal took necessary measures to limit the access of attackers and performed an ex officio password reset from the accounts he was able to confirm were breached. However, it is shocking to see that at least according to the company’s version, the attackers did not conduct any monetary transactions or were not able to do so. It is also not aware of any misuse of data accessed by malicious actors.

PayPal recommends using a strong, long password that combines alphanumeric characters and symbols and isn’t reused (which can be helped by using a password manager), and it also recommends enabling two-step verification when you start setting up your account. Users affected by the breach will receive two years of free identity monitoring from Equifax.