In December last year, hackers accessed the PayPal accounts of more than 1.6 million users of the online payment service. As a result, PayPal is now sending out data breach notifications to affected users.
A large number of customer accounts of the company were compromised in this attack. With the help of credential stuffing, the hackers behind this attack were able to gain access to almost 35,000 accounts of this company.
PayPal sent out a Warning of Security Incidents to affected customers on December 6th and 8th of last year. This warning stated that the attack took place from December 6th to 8th. When the attack took place, the company was able to detect its occurrence as well as implement the necessary steps to mitigate it. PayPal has also launched an internal investigation, there is a search underway for how the hackers responsible were able to gain access to PayPal customers' accounts in the first place.
Despite the company's claim that the hackers were unable to carry out any transactions through the breached accounts, a lot of sensitive information about affected customers was stolen, such as their full names, dates of birth, physical addresses, Social Security numbers, and tax identification numbers, along with their full names and dates of birth.
Based on PayPal's investigation, the hackers behind this attack used credential stuffing to access the accounts of PayPal's customers by gaining access to the credentials of PayPal's employees. A popular method of attacking data can be found on the dark web, but unlike a data breach, it uses accounts already in circulation.
It is often the case that credential-stuffing attacks are orchestrated by using bots that have been programmed to enter passwords and usernames from data breaches. This is required to crack a user's account. There are several bots that attempt to use the same credentials for multiple online services with the hope that the passwords have not changed recently.
Using the same password across multiple accounts can be dangerous for a user's security. A hacker can access your password by infiltrating a website or service. This is done by establishing a connection with their servers. This allows them to access the rest of the accounts using that password.
When your PayPal account is hacked, what should you do next?
If PayPal has notified you that your account was breached by hackers and you received a message that you must reset your password, the company has already done so. Thus, it is recommended that you create a strong, complex, and distinct password for your account the next time you log in so that your account remains safe. A password manager, such as KeePass, will be able to generate strong passwords for you, which can be incorporated into one of the most trustworthy password managers. In addition, many of these sites also allow their users to generate passwords online for free.
To protect you from identity theft, PayPal is offering two years of free identity monitoring from Equifax. This is done using your name, birth date, address, and social security number. If, however, you wish to extend your protection even further, you may want to sign up for an identity theft protection service.
It is also recommended that you enable two-factor authentication for your PayPal account, which will help prevent a hacker from gaining access to your account even if they obtain your login credentials, which can be crucial to the safety and security of your account.
Despite the many risks involved, password reuse is still one of the biggest problems in the online world but hopefully, this unfortunate incident will get people to use strong, complex, and unique passwords - especially when it comes to their financial accounts.