Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

PayPal Warns Users of Credential Stuffing Attacks

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Online payments system PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

“On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials,” the company said in the notification letter sent to the impacted individuals.

According to PayPal, between December 6 and 8, 2022, a third party accessed user accounts using login credentials obtained elsewhere. The unauthorized access was eliminated on December 8.

The company says the attackers likely obtained the login credentials via phishing or related nefarious activity, as it found no evidence that the company’s systems were breached.

The attackers, the company says, were able to access and potentially steal personal information from the victim accounts, including names, addresses, phone numbers, birth dates, individual tax identification numbers, and Social Security numbers.

“As of the time of writing, we have no information suggesting that any personal information was misused as a result of this incident, nor have there been unauthorized transactions on the affected accounts,” PayPal told the Maine Attorney General’s Office.

The online payments platform says it reset the passwords for the impacted user accounts and implemented “enhanced security controls to prevent any further unauthorized access”.

“We have not informed law enforcement of this incident, and this notification was not delayed as a result of a law enforcement investigation,” PayPal said.

Advertisement. Scroll to continue reading.

The company told the Maine Attorney General that a total of 34,942 individuals were impacted in the incident.

In credential stuffing attacks, threat actors use leaked credentials obtained from a third-party source (often purchased on hacker forums) to access user accounts on different services. Such attacks are possible due to the reuse of credentials across multiple services.

Related: DraftKings Data Breach Impacts Personal Information of 68,000 Customers

Related: FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks

Related: NY AG: Credential Stuffing Impacts 1.1 Million Users at 17 Companies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.