PayPal massively sends notifications of data leakage. According to the results of a hacker attack, personal data of many users fell into the hands of attackers.
PayPal claims that the attack occurred from December 6 to 8, 2022. The company quickly discovered it and took appropriate measures, but also began an internal investigation to find out how hackers gained access to accounts.
December 20, PayPal completed the investigation and confirmed that unauthorized third parties really entered the compromised accounts, but this did not happen at all due to the vulnerability of the PayPal platform.
The group responsible for the hack was applied by the Credential Stuffing method, in which special software simply sorts out combinations of the accounts received by attackers during previous leaks. In other words, logins/passwords could merge from a completely different service and for a very long time, but successfully apply them for authorization in PayPal accounts. It was possible to steal personal information only from those accounts that were not protected by two -factor authentication.
According to the company’s report, the incident affected about 35 thousand users. Within two days, hackers had access to the following data of the service users: name, date of birth, mailing address, social insurance number, individual identification number of the taxpayer, the history of transactions, data of the connected cards and the data of the passage of PayPal.
The company claims to take timely actions to limit the access of the attackers to the platform and lose the passwords of accounts that were hacked. The company also claims that the attackers did not try or could not conduct any transactions from the hacking records of PayPal.
“We do not have information to assume that any of your personal data was used for other purposes as a result of this incident, or that any unauthorized transactions were carried out in your account,” the PayPal message reported Users.
“We dropped the passwords of vulnerable PayPal accounts and introduced expanded security controls that will require you to install a new password at the next entry into your account,” the company warned.
PayPal also urged users who received a notification of hacking to activate two -factor authentication (2FA) in the “Account Settings” menu. This can prevent the access of attackers, even if they have all the data for entering the account. The company also recommended changing passwords from other online accounts so that the situation does not happen again with them.