PayPal hacker attack exposes customer names and Social Security numbers — what to do now

PayPal logo on iPhone
(Image credit: Shutterstock)

PayPal has begun sending out data breach notifications to users of the online payment service whose accounts were accessed by hackers in December of last year.

In this case, the company’s internal systems weren’t breached and the hackers behind this attack used credential stuffing to access the accounts of almost 35,000 customers according to BleepingComputer.

In a Notice of Security Incident sent out to affected customers, PayPal explained that the attack itself took place between December 6-8 of last year. The company detected the attack was taking place and took steps to mitigate it at the time. However, PayPal also launched an internal investigation to find out how the hackers responsible were able to access the accounts of its customers.

Although the company claims that the hackers were not able to perform any transactions using the breached accounts, they did manage to steal quite a bit of sensitive information from affected customers including their full names, dates of birth, physical addresses, Social Security numbers and tax identification numbers.

Credential stuffing

Abstract images depicting cyber security with a lock and PC keyboard

(Image credit: Song about Summer/Shutterstock)

PayPal’s investigation found that the hackers behind this attack used credential stuffing as a means to access customer accounts. Unlike a data breach, this attack method uses existing credentials already floating around the dark web.

Credential stuffing attacks often rely on automation to crack a user’s account by using bots with lists of usernames and passwords acquired in previous data breaches. These bots try the credentials at multiple online services with the hope that customers haven’t recently changed their passwords.

This is why password reuse — where a person uses the same password across multiple accounts — is so dangerous. If a site or service is breached and a hacker obtains your password, they then try and use it to log in to your other accounts.

What to do next if your PayPal account was breached

If you received a message from PayPal saying your account was breached by hackers, the company has already reset your password. As such, the next time you log in, you should create a strong, complex and unique password for your account. This can also be done with one of the best password managers as they can generate strong passwords for you. However, many of them also offer free password generators online.

As hackers can do quite a lot with your name, birth date, address and Social Security number, PayPal is providing two years of free identity monitoring from Equifax. However, if you want even more protection, you may want to sign up for one of the best identity theft protection services as they monitor your identity while also providing insurance money in case your identity is stolen. If this happens, these funds can be used to reclaim your identity, get new documents and cover any other costs related to identity theft.

PayPal also recommends that you enable two-factor authentication (2FA) for your account which can help prevent a hacker from accessing it even if they do get their hands on your credentials.

Password reuse is still a big problem despite the risks but hopefully this incident will help convince more people to use strong, complex and unique passwords for each of their online accounts — especially their financial ones.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.