PayPal has issued a warning to some of its customers that their accounts have been hacked, and that some sensitive data has been compromised.
In its report, the company confirmed that on December 20, 2022, an unauthorized third party accessed a number of PayPal accounts. Further investigation revealed that whoever is behind the attack, had access to the accounts between December 6 and December 8, 2022.
“During this time, unauthorized third parties were able to view and possibly obtain certain personal information of some PayPal users,” the warning reads. This data includes users’ names, addresses, social security numbers, individual tax identification numbers, and/or dates of birth.
There is no evidence of misuse
PayPal hasn’t explained exactly how the attackers gained access to these accounts, other than to say there’s “no evidence” that login credentials were taken from the company’s systems.
PC Reports indicate that the hack is caused by credential stuffing, a type of attack in which hackers “pack” a login page with several credentials taken elsewhere until one of them finally works.
This method relies on people using the same passwords across multiple services so that if one gets hacked, they are all at risk. The same report also claims that 34,942 accounts have been compromised, and transaction records, connected credit or debit card details, and PayPal billing data may also have been accessed.
> PayPal scrapes passwords for some users
> PayPal closes a common loophole in the merchant payments system
> Check out the best firewalls now
What the hackers will do with the data obtained in the attack is not yet clear. Currently, PayPal has no evidence of data being misused, but it’s safe to assume it would be used for identity theft, phishing, or other forms of social engineering attacks.
To protect its users, PayPal resets passwords for affected users, and “Enhanced Security Controls” require users to set up a new account at their next login. Also, users were given identity monitoring services for free for one year through Equifax.
- Below is a list of our top endpoint security services
Via: BleepingComputer