PayPal has been hacked with thousands affected - Is your account safe?
Thousands of PayPal accounts have been hacked, according to a notice of security incident released by the multinational payment platform on January 18th. What does this mean for account holders? What information did these cybercriminals get access to? What should PayPal account holders do next?
According to the report released by PayPal, hackers managed to gain unauthorized access to at least 34,942 accounts. The attack was launched between December 6 - 8, 2022. The cybercriminals used a credential-stuffing attack to gain access to these accounts.
A credential-stuffing attack automatically forces its way into an account by using re-used credentials from other services. This means that anyone using the same password across multiple accounts has a higher chance of being caught in this attack. It also means that if you fall victim, you should check your other accounts as well as chances are one of them have also been breached.
Despite the security features that PayPal has in place, users reusing their passwords across multiple platforms creates a vulnerability in the payment systems defenses. This can then easily be exploited using a credential-stuffing attack.
In response to this attack, Paypal has already sent an official notification to all affected users. This notification clarifies the details of the attack. The notification went on to explain to users that at this point, there’s no evidence indicating that account information was misused or that any transactions were made from affected accounts. PayPal has also revoked all third-party access to the affected accounts.
However, it should be noted that these criminals did have access to personal information. This information includes name, address, Social Security number, individual tax identification number, and date of birth - everything a cybercriminal could need for identity fraud and theft.
Taking responsibility for the potential harm this hack could cause, PayPal is offering all affected account holders two years of free access to identity monitoring services from Equifax.
Customers who have received this notification are urged to make use of the identity monitoring services. It’s also recommended that these users immediately change the passwords of all of their accounts and wherever possible, enable two-factor authentication.
Account users who haven’t received a notification are unaffected by this most recent credential-stuffing attack. However, users are urged to change their passwords if they use the same password across multiple accounts to prevent any future issues of this nature. If you’re concerned about keeping track of multiple different passwords, a password manager like 1Password or Bitwarden makes this a painless exercise.
This latest hack proves how important it is to use strong and unique passwords for your accounts. In this case, the hack affected users who have re-used passwords across multiple accounts. This could’ve been avoided had users implemented unique, strong password usage. Hopefully, PayPal will also take additional steps in its security protocols to better protect against these types of attacks in the future.
Advertisement
I wasn’t notified by PayPal and now I don’t feel safe.
I wonder why wasn’t this published on “Have I Been Pwned”? Seems like a big enough breach.
Maybe because it wasn’t a direct breach?
I stopped using this greedy corporate years ago when they kept putting fees up and changing terms and conditions to always favour them. I didn’t realise anyone still used them.
The article grammar is very inconstant – it mostly looks like a mass “copy-and-paste” job. Why have you used the word “between” then try write the range like so: “December 6 – 8, 2022”. Did you get AI to suggest how to write most of the article?
There are four hyperlinks; they all have no relevance to the important “security report” that is supposedly being quoted. Shaun, giving credit to your sources is called Citing or Referencing a source.
It comes across like the author of this article is an imitator in words as well as deeds.
I use a generator to give me a long complex password for each account I have, and enable 2FA if available. This is article is why!
> “Social Security number, individual tax identification number,”
Yikes and glad PP’s collection of SSN is illegal because they aren’t deposit insured and legally a bank. They never got mine and I’ve since not used PP except in extreme circumstances.
TIN’s however can be requested by anyone doing business with a party via the corresponding IRS form and fined if they don’t comply. So not so “private”.
Thanks for the intel.