A letter of notice was issued to consumers of the digital payment service this week, notifying them that the personal data of 35,000 PayPal accounts were made public in December.
PayPal accused “unauthorised parties” who got access to accounts using user login details of this violation of privacy. That is to say, whoever gained access to the accounts know or had guessed the passwords and usernames of their targets, potentially by collecting the information from some other website where individuals had previously reused the same login information.
Use a different password for every website or app you use as a consequence. According to details given to the Maine Attorney General, 34,942 clients were impacted by this credential-stuffing incident on December 6.
Customers’ names, addresses, Social Security numbers, unique tax identification numbers, and dates of birth were some of the data that was leaked.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” the notification letter [PDF] said. “There is also no evidence that your login credentials were obtained from any PayPal systems.”
Later in the month, after the accounts were raided, PayPal stated it “promptly” began an inquiry and took measures to prevent the hackers from collecting any more client data, most likely as bank account details. The payment company also “implemented enhanced security controls” and changed the passwords for the compromised PayPal accounts.
According to the warning, PayPal failed to report police departments to the security failure.
Even though the credit monitoring company does not have a great reputation when it comes to securing customer information, PayPal is providing two years of complimentary Equifax services to impacted clients.
This most recent error, unfortunately, took place a few months after PayPal enabled passkeys for passwordless access to accounts throughout Apple devices in an attempt to provide users with a much more strong authentication option than credentials.
Microsoft believes that there are 579 password-related attempts every second, or nearly 18 billion annually. Since people have the inclination to choose weak passwords or repeat them across various platforms, most of them are effective.
According to Timothy Morris, chief security advisor at Tanium, multi-factor authentication might have avoided this and other credential-stuffing cyberattacks.
“This is a prevailing issue where users are using the same id/password combinations for multiple sites and applications,” he told The Register, adding that info stolen from PayPal customers could be used for identity theft or sold on hacking forums.
“Credential stuffing is successful because many of those combinations are on the dark web from previous breaches,” Morris said.