PayPal notifies customers of data breach

On January 18, 2023, PayPal began notifying affected users of a credential stuffing attack. Credential stuffing occurs when stolen credentials are used to gain access to accounts.

On December 20, 2022, PayPal confirmed that the data breach exposed the name, address, Social Security number, individual tax identification number, phone number, and/or date of birth of 34,942 PayPal users.

PayPal became aware of the attack on December 8, 2022 and on the same day,  terminated the unauthorized users’ access to PayPal systems. The company believes that the data breach occurred between December 6th and December 8th of 2022.

PayPal stated that there have been no unauthorized transactions on the user accounts and the company’s unaware of misuse of the stolen customer data. However, as is standard in data breaches, PayPal is offering the affected users 24 month Equifax identity protection and credit monitoring.

PayPal stated that it also took precautions to contain the December attack and help customers prevent future attacks. These precautions included masking the personal information so it is no longer visible, engaging outside counsel to
assist in investigating this matter, resetting passwords for the affected PayPal accounts, and implementing enhanced security controls to prevent any further unauthorized access.