Nearly 35,000 PayPal users had SSNs, tax info leaked during December cyberattack

PayPal is sending out breach notification letters to nearly 35,000 customers after a December 6 credential stuffing attack allowed hackers to access names, addresses, Social Security Numbers, individual tax identification numbers and dates of birth.

The company reported the breach, which occurred from December 6 to December 8, to Maine’s Attorney General.

On December 20, PayPal confirmed that hackers used credential stuffing attacks to gain access to personal data and financial information.

A credential stuffing attack is when hackers take username and password combinations leaked through data breaches and attempt to use them at other online services, hoping that some people reused credentials across different sites.

PayPal said their platform was not breached, writing that there was “no evidence” that customer login credentials were obtained “from any PayPal systems.” Instead, they were accessed via an existing data leak.

“We have not delayed this notification as a result of any law enforcement investigation,” the letter says, noting that the company reset the passwords of the affected accounts and will force the users to create new login credentials when they log back in. 

Victims will also be given two years of free services from Equifax that include credit monitoring, fraud alerts, identity restoration and up to $1 million of identity theft insurance coverage for a specific list of out of pocket expenses resulting from identity theft.

There are several dark web forums where thousands of PayPal credentials are sold, despite efforts from law enforcement to shut down the marketplaces and jail those selling the login details. 

Paul Bischoff, privacy advocate with Comparitech, said cybercriminals can now use bots to attempt thousands of logins within seconds with compromised account credentials. 

“PayPal is one of the most frequently impersonated companies in phishing emails and other scam attempts. Always ensure you're logging into the real PayPal website,” Bischoff added. “Inspect the URL for spelling errors and never click on links or attachments in unsolicited emails.”

Hackers use automated tools to parse previously compiled lists of breached usernames and passwords, with bots allowing them to launch millions of login attempts “with very little effort on their part,” said KnowBe4’s Erich Kron.

LastPass, Norton LifeLock, DraftKings, Zola and others have announced credential stuffing attacks in recent years.