DIGITAL LIFE

Nearly 35,000 PayPal accounts hacked, PayPal passwords reset

PayPal sent an account takeover notice to thousands of users, stating that between December 6th and 8th, hackers attempted to access user accounts. The attack allowed hackers to access users' names, mailing addresses, social security numbers, tax identification numbers and dates of birth.

The company reported the incident to the Maine (USA) Attorney General.

On December 20, PayPal confirmed that hackers carried out so-called “credential stuffing” attacks trying to gain access to users' personal and financial information.

This type of attack involves hackers using username and password combinations that have been leaked in other incidents, hoping that users will use the same combinations on other websites. The attack relies on an automated approach with bots using lists of leaked credentials that they “inject” into the login pages of various online services. Since these attacks are fully automated, it is possible to initiate a million login attempts with minimal effort from the hackers themselves. The attack targets users who use the same password for multiple online accounts, a practice known as "password recycling".

PayPal said the attack took place between December 6 and 8, 2022. The company then discovered and stopped it, and launched an internal investigation to find out how the hackers gained access to the accounts.

On December 20, 2022, PayPal concluded its investigation, confirming that "unauthorized third parties" had logged into accounts with valid credentials.

The electronic payment platform claims that their systems were not hacked and there is no evidence that user credentials were obtained directly from them.

According to PayPal's data breach report, exactly 34,942 of its users were affected by this incident. Over the course of two days, hackers gained access to account holders' full names, dates of birth, mailing addresses, social security numbers and tax identification numbers. Transaction history, associated credit or debit card information, and PayPal account information are also available on PayPal accounts.

PayPal says it has taken timely steps to restrict hacker access to the platform and reset passwords for accounts that have been confirmed to be hacked.

The notice sent by PayPal to users states that the attackers did not attempt or failed to complete any transactions from the hacked PayPal accounts.

"We have no information to indicate that any of your personal information was misused as a result of this incident, or that there were unauthorized transactions on your account," the PayPal notice stated.

"We have reset passwords for affected PayPal accounts and implemented enhanced security controls that will require you to set a new password the next time you log into your account."

Customers will receive two years of free credit monitoring, fraud alerts, identity recovery service and identity theft insurance worth up to $1 million from Equifax.

PayPal recommends that notification recipients also change passwords for other online accounts, choosing long, unique passwords that are at least 12 characters long, including alphanumeric characters and symbols.

PayPal advises users to enable Two-Factor Authentication (2FA) protection in the "Account Settings" menu, which can prevent unauthorized third parties from accessing the account even if they have a valid username and password.

PayPal is one of the most used companies as bait in phishing emails and other scams. That's why when logging into PayPal, make sure you're on the right website first. Check the URL for errors and never open links and attachments in suspicious emails.

mundophone