Nearly 35,000 PayPal Users Have Been Hit by Credential Stuffing Attacks

PayPal representatives informed users about the massive credential stuffing attacks, which have already affected about 35,000 people.

The company emphasizes that the attacks were not due to hacking into PayPal systems, and user credentials seem to have been obtained from other sources.

Let me remind you that we also said that Magento: PayPal $0 Dollar Transaction Issue, and also that Xiaomi Smartphones with MediaTek Chips Are Vulnerable to Counterfeit Payments.

In addition, information security specialists said that PayPal accounts were massively attacked through integration with Google Pay.

Let me remind you that the term credential stuffing usually refers to situations where usernames and passwords are stolen from some sites and then used on others. That is, attackers have a ready-made credential database (acquired on the dark web, collected on their own, and so on) and try to use this data in automated attacks to log in to other sites and services under the guise of their victims.

PayPal reports that credential spoofing attacks occurred between December 6 and 8, 2022. The company then detected suspicious activity and took action to stop it, and also launched an internal investigation to find out how hackers get access to other people’s accounts.

By around December 20, 2022, the investigation was completed, confirming that unauthorized persons logged into other people’s accounts using valid credentials.

As a result, the incident affected 34,942 users. Within two days, the hackers had access to the full names of account holders, their dates of birth, postal addresses, social security numbers and individual taxpayer identification numbers. The attackers also had access to transaction histories, information about the connected credit or debit cards, and billing data.

PayPal assures that it detected the attacks in a timely manner and took measures to limit attackers’ access to the platform, as well as reset passwords from accounts that were hacked. At the same time, it is alleged that the attackers did not try or could not carry out any transactions from the hacked accounts.

We have no data to suggest that any of your personal information was misused or any unauthorized transactions were made in your account as a result of this incident. We have reset the passwords of compromised PayPal accounts and have implemented additional security controls that will require you to set a new password the next time you log into your account.PayPal message sent to all those affected says.
Affected platform customers will reportedly receive two years of free credit monitoring and identity theft protection from Equifax. Also, recipients of notifications are strongly advised to change the password not only from PayPal, but also for other online accounts (using unique and long combinations), and also activate two-factor authentication.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button