Security News > 2023 > January > PayPal says crooks poked around 35,000 accounts in credential stuffing attack
The personal information of 35,000 PayPal users was exposed in December, according to a notification letter sent to the online payment company's customers this week.
PayPal attributed this privacy breach to "Unauthorized parties," who accessed accounts using customer login credentials.
Upon discovering the raid on accounts later in the month, PayPal said it "Promptly" launched an investigation and took steps to prevent the crooks from stealing additional customer information - like bank account info, we would assume.
PayPal is giving affected customers two years of free Equifax services, although the credit monitoring firm doesn't have the best track record when it comes to protecting customer data, either.
In 2017, Equifax was compromised in a cyberattack that the company attributed to the Chinese military in which the attackers stole personal information belonging to about 146.6 million people in the US, Canada, and the UK. This latest snafu also happened a couple months after the PayPal implemented added passkeys for passwordless login to accounts across Apple devices in a move to provide customers with a more secure authentication method compared to passwords.
"This is a prevailing issue where users are using the same id/password combinations for multiple sites and applications," he told The Register, adding that info stolen from PayPal customers could be used for identity theft or sold on hacking forums.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/01/19/paypal_data_breach/
Related news
- Retail chain Hot Topic hit by new credential stuffing attacks (source)
- Roku warns 576,000 accounts hacked in new credential stuffing attacks (source)
- Okta warns of "unprecedented" credential stuffing attacks on customers (source)
- Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks (source)