PayPal Breach Highlights Need for Strong Passwords and MFA

A recent security incident involving nearly 35,000 PayPal customers serves as a wake up call to organizations of all sizes to implement a zero-trust architecture, enable MFA, and use strong and unique passwords.

Attackers gained access to the accounts of thousands of PayPal users between December 6 and 8, 2022 during a credential stuffing attack. While PayPal itself was not hacked, cybercriminals used the credential stuffing tactic to gain access to accounts. The technique uses an automated process to attempt to login into a service with credentials that have been reused between accounts and subsequently breached at one of them.

PayPal notified all affected account holders via email about the breach, which the company discovered December 20. The notice further stated that “no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.” Access to the impacted accounts was “eliminated for unauthorized third parties” on December 8.

While PayPal has no evidence of unauthorized transactions being made, the attackers potentially have access to consumers’ critical personal data, including “name, address, Social Security number, individual tax identification number, and/or date of birth.” Additionally, information such as PayPal transaction histories and connected credit or debit card details, along with company invoicing data, may have also been accessed.

“PayPal’s payment systems were not impacted, and no financial information was accessed. We have contacted affected customers directly to provide guidance on this matter to help them further protect their information,” said a PayPal spokesperson via email to industry publication Cybersecurity Drive. The company mitigated the data breach by limiting access and resetting passwords of compromised accounts. 

CNET released an article with 5 ways for PayPal account holders to lock down their data after the breach, using Google’s Password Checkup tool:

  1. If you use Google’s password service to keep track of your login credentials in Chrome or Android, head to Google’s password manager site and tap Go to Check passwords.
  2. Tap Check Passwords and verify it’s you.
  3. Enter the password for your Google account.
  4. Google will display any issues it’s found, including compromised, reused and weak passwords.
  5. Next to each reused or weak password is a Change password button you can tap to pick a more secure one.

For even more protection, Enfortra offers companies white label identity theft solutions as well as credit monitoring services to provide peace of mind for their employees.