PayPal has started shipping data breach alerts to thousands of users. Hackers managed to gain access to their accounts through credential stuffing attacks.
Credential stuffing attacks are attacks where hackers try to gain access to an account by trying usernames and passwords derived from data leaks on various websites.
This type of attack is performed automatically with scripts that run lists of credentials to "populate" login forms to various services. Credential stuffing targets users who use the same password across multiple online accounts, a behavior also known as "password recycling."
PayPal says these attacks occurred between December 6 and 8, 2022. The company detected and stopped them at that time. At the same time, an internal investigation was launched to find out how the hackers gained access to the accounts.
As of December 20, 2022, PayPal has completed its investigation, confirming that unauthorized third parties connected to the accounts with valid credentials.
The online payment platform claims this was not due to a breach of its systems and has no evidence that any other user credentials were leaked by the attack.
But according to PayPal's breach report, 34.942 of its users have been affected by the incident. Over the course of two days, the hackers accessed account holders' full names, dates of birth, mailing addresses, social security numbers and tax ID numbers.
George is still wondering what he is doing here….
