PayPal Hack, Names and SSN Exposed
Some 35,000 PayPal user accounts have been hacked by “credential stuffing,” resulting in exposed names and Social Security numbers, according to a notification posted on a government website.
Through its lawyers, the California-based payment processor sent a notice to Maine’s attorney general. The company also sent a letter, dated Jan. 19, about the data breach to impacted users.
That letter said that the accounts were breached sometime between Dec. 6 and Dec. 8, 2022. The company said that it was able to deal with the attack soon after it occurred, according to the letter.
The notification to users said that 34,942 users were impacted by the incident and that unauthorized third parties gained access to their accounts. Those third parties, which were not identified, could view full names, dates of birth, Social Security numbers, addresses, and tax identification numbers.
“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” said PayPal’s letter.
Specifically, the hackers used a “credential stuffing” attack that involves automatically injecting login credentials that were found during previous data breaches.
“If you detect any suspicious activity on an account, change the password and security questions immediately, and promptly notify the company where the account is maintained,” PayPal said. “You may also add additional security for your PayPal account by enabling ‘2-step verification’ in your Account Settings. When links are present in an email, individuals should hover [their] mouse over the links to view the actual destination URL and should not click on the link if [they] are unsure of the destination URL or website.”
Furthermore, the company said it has reset passwords on the afflicted PayPal accounts. Impacted users will also get free identity monitoring services from Equifax, the consumer credit reporting company.