Paypal was breached between December 6 and December 8, 2022, and the cybercriminals got away with the sensitive data of 34,942 accounts. The data included the name, address, Social Security number, personal tax identification number and date of birth.
The company has started sending notifications to the affected account users, blaming a credential-stuffing attack for the breach.
“On December 20, 2022, we confirmed that unauthorised parties were able to access your Paypal customer account using your login credentials,” Paypal said in the notification sent on Wednesday.
Paypal stopped the unauthorised access and began an investigation after learning about the breach on December 8. The passwords of the affected accounts were reset and the company “implemented enhanced security controls” that’ll require the affected accounts to enter a new password.
“We have no information suggesting that any of your personal information was misused due to this incident or that there are any unauthorised transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems.”
The fintech company also mentioned that the notification wasn’t delayed due to a law enforcement investigation. The company has implemented Equifax’s identity monitoring services, which will be offered free of cost for the next two years.
All those affected are recommended to update their account passwords and avoid using the same password and username combination for other accounts online.
Other companies, including Lastpass, have also been affected by credential-stuffing attacks in the past.
In the News: Apple announces second-generation HomePod at $299