This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

PayPal

Summary

Approximately 34,942 PayPal customer accounts were accessed by threat actors in a credential stuffing attack between 6 and 8 December 2022. The breach, disclosed to affected users on 19 January 2023, exposed full names, dates of birth, postal addresses, social security numbers, and transaction histories. PayPal emphasised this was not a breach of its systems but rather the result of attackers using previously stolen credentials.

What Happened

Between 6 December and 8 December 2022, hackers conducted a large-scale credential stuffing attack against PayPal accounts. In this type of attack, threat actors use previously stolen login credentials from other breaches to attempt mass login attempts against PayPal's platform.

PayPal's investigation, concluded on 20 December 2022, confirmed that unauthorised third parties logged into the accounts using valid credentials that had been compromised elsewhere. The platform detected the suspicious activity and took action to limit the intruders' access and secure affected accounts.

Impact on Individuals

The attackers had access to account holders' full names, dates of birth, postal addresses, social security numbers (or individual tax identification numbers), and transaction histories. Connected credit or debit card details and PayPal invoicing data, which are accessible on PayPal accounts, were also potentially exposed.

Despite PayPal beginning notifications to affected users on 19 January 2023—approximately six weeks after the attack—the company claimed it took timely action to limit access. Affected users, including Australians with PayPal accounts, had their passwords reset by PayPal as a security measure.

Organisational Response

PayPal concluded its investigation on 20 December 2022 and began notifying affected users on 19 January 2023. The company reset passwords for all confirmed compromised accounts and implemented additional security measures to prevent further unauthorised access.

PayPal maintained that the breach was not due to a compromise of its own systems and found no evidence that user credentials were obtained directly from PayPal's infrastructure. The incident highlighted the ongoing risk of credential stuffing attacks when users reuse passwords across multiple services.

Verification Source: View original statement