PayPal has begun sending out data breach notifications to users of the online payment service whose accounts were accessed by hackers in December of last year.
In this case, the company’s internal systems weren’t breached and the hackers behind this attack used credential stuffing to access the accounts of almost 35,000 customers according to BleepingComputer (opens in new tab).
- MORE: 37 million hit by massive T-Mobile data breach (opens in new tab)
In a Notice of Security Incident (opens in new tab) sent out to affected customers, PayPal explained that the attack itself took place between December 6-8 of last year. The company detected the attack was taking place and took steps to mitigate it at the time. However, PayPal also launched an internal investigation to find out how the hackers responsible were able to access the accounts of its customers.
Although the company claims that the hackers were not able to perform any transactions using the breached accounts, they did manage to steal quite a bit of sensitive information from affected customers including their full names, dates of birth, physical addresses, Social Security numbers and tax identification numbers.
PayPal’s investigation found that the hackers behind this attack used credential stuffing as a means to access customer accounts. Unlike a data breach, this attack method uses existing credentials already floating around the dark web.
Credential stuffing attacks often rely on automation to crack a user’s account by using bots with lists of usernames and passwords acquired in previous data breaches. These bots try the credentials at multiple online services with the hope that customers haven’t recently changed their passwords.
This is why password reuse — where a person uses the same password across multiple accounts — is so dangerous. If a site or service is breached and a hacker obtains your password, they then try and use it to log in to your other accounts.
What to do next if your PayPal account was breached
If you received a message from PayPal saying your account was breached by hackers, the company has already reset your password. As such, the next time you log in, you should create a strong, complex and unique password for your account. This can also be done with one of the best password managers as they can generate strong passwords for you. However, many of them also offer free password generators online.
As hackers can do quite a lot with your name, birth date, address and Social Security number, PayPal is providing two years of free identity monitoring from Equifax. However, if you want even more protection, you may want to sign up for one of the best identity theft protection services as they monitor your identity while also providing insurance money in case your identity is stolen. If this happens, these funds can be used to reclaim your identity, get new documents and cover any other costs related to identity theft.
PayPal also recommends that you enable two-factor authentication (2FA) for your account which can help prevent a hacker from accessing it even if they do get their hands on your credentials.
Password reuse is still a big problem despite the risks but hopefully this incident will help convince more people to use strong, complex and unique passwords for each of their online accounts — especially their financial ones.