PayPal, hackers access the accounts of over 35,000 users: credit card data and history stolen
PayPal, hackers access the accounts of over 35,000 users: credit card data and history stolen.
The logins were made possible by a trivial but effective tactic called “credential stuffing”. If you haven’t received any alerts, there’s no reason to be alarmed.
PayPal has sent data breach notifications to thousands of users, all of whom have had their account credentials stolen. The abusive accesses were made possible by a rather trivial but effective tactic called ” credential stuffing “, which consists in the use of email addresses + passwords contained in archives from other data breaches.
Essentially, hackers break into a site’s databases and obtain the credentials of hundreds of thousands of users. These credentials are then put up for sale on the black market and bought by other hackers, who then use them to try to access other services and platforms, in the hope that: 1) the victims of the previous data breach are also registered on the target platform of the new attack 2) that the victim uses the same password on multiple sites.
The target of the ” credential stuffing ” attacks are precisely the users who use the same password for multiple online accounts, a practice – not recommended by almost every expert – known as ” password recycling “. Around 35,000 users were affected. PayPal explains that the credential stuffing attack took place between December 6 and 8, 2022. The company detected it almost immediately, mitigating the consequences.
The internal investigation carried out by the company ended on 20 December. The verdict? The theft of the accounts does not in any way depend on a failure by PayPal, whose computer systems have not been hacked.
However, the hackers would have managed to steal the personal information of the victims of the attack: full names, dates of birth, postal addresses and social security numbers. And unfortunately not only that, also the complete history of all transactions, as well as the credit card data used to make online purchases.
PayPal says it has taken prompt steps to limit hackers’ access to the platform and has reset the passwords of accounts that had been hacked. Furthermore, the report confirms that the attackers did not attempt or fail to transact from the hacked PayPal accounts.
