PayPal has recently suffered a massive data breach, and if you were one of the affected users, your details may have been leaked. Given the nature of a PayPal account, the exposed data includes some of the most sensitive information, which could put those users at risk of identity theft.
The company is taking steps to protect the accounts from further damage. Here’s what we know about what happened and how to protect yourself.
According to PayPal, an unauthorized third party was able to access close to 35,000 PayPal accounts. This took place in December 2022, and PayPal names December 6 to 8 as well as December 20 as the dates when this breach was taking place. During those time windows, the attacker was able to view, and possibly acquire, most of the sensitive data tied to a PayPal account.
PayPal issued a warning to the users whose data may have been compromised. In the report, PayPal states: “The personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth.”
It’s possible that invoicing data and credit card or debit card details may have been accessed. It’s unclear what will happen to the stolen data, but it’s safe to assume that some form of identity theft or phishing is in the cards.
The company didn’t divulge how exactly the attackers were able to access the accounts, although it claims it hasn’t found evidence of hackers stealing the user data directly from PayPal’s systems. On the other hand, Bleeping Computer reports that the attackers were able to hack into the accounts through credential stuffing. This means that they may have tried to use login credentials stolen elsewhere — in massive quantities — until some of them worked.
As a response to the attack, PayPal reset the passwords on all of the accounts that were affected. If your account was one of them, you’ll be asked to set up a new password the next time you try to log in. PayPal is also giving each of those users a two-year subscription to Equifax, an identity monitoring service.
In order to protect yourself from similar attacks, make sure to not use the same login credentials (password and username or email) across multiple websites and apps. In addition, it’s always a good idea to set up two-factor authentication on services like PayPal in order to be extra sure that your data is safe from attacks.