cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

35k PayPal accounts compromised by credential stuffing attack

Online financial service PayPal has confirmed it was hit by a robust credential stuffing attack, which has led to the compromise of 34,942 customers.

user icon David Hollingworth
Fri, 20 Jan 2023
35k PayPal accounts compromised by credential stuffing attack
expand image

The attack occurred on 6 December last year and was noticed on the 20th of the same month, according to a data breach notice filed with the Office of the Maine Attorney General.

The data breach notification was filed on 18 January and PayPal contacted affected customers on the same day.

PayPal seems unsure of what exact data was compromised, but said in its letter that it could include names and addresses, Social Security numbers, tax IDs, and dates of birth. PayPal believes that any of this information has yet been taken advantage of.


“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorised transactions on your account,” the letter reads. “There is also no evidence that your login credentials were obtained from any PayPal systems.”

The affected accounts have been secured, and PayPal is offering victims two years of identity protection and credit monitoring with Equifax.

“We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you login to your account,” the letter reads.

Credential stuffing works with account details acquired or stolen from elsewhere, and applies them in a brute-force attack on other networks. Once the attack succeeds, however, i’s possible that operators can now use name and password combinations they know to be good to access other services that also use the same details.

This is why it is generally a good idea to have distinct username/password combinations for each service you might use.

PayPal has an interesting history when it comes to account breaches and fraud. Going back as far as 2001 — soon after it renamed itself PayPal from X.com the business was losing millions to hackers and other fraud.

The AI and deep learning-based systems put in place to counter this loss led in turn to PayPal’s founder, Peter Thiel, to found the big data company Palantir.

Palantir now works for a range of US government agencies in roles as diverse as counter-terrorism and cyber analysis.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.