issued a warning to a group of its customers about the status of their accounts, in particular regarding a security breach.
As they recognized from the American virtual wallet,
cyber attackers violated the profiles
and some confidential data was compromised.
The company confirmed that on December 20, 2022, an unauthorized third party accessed several PayPal accounts.
According to the first investigations, they discovered that the person responsible for the attack managed to enter between December 6 and 8, 2022.
"During this time, unauthorized third parties were able to view and potentially
acquire certain personal information
for certain PayPal users," the warning reads.
That data includes
usernames, addresses, US Social Security
numbers, individual tax identification numbers, and/or dates of birth.
From the virtual wallet they have not yet explained exactly how the attackers managed to access these accounts, other than stating that
there is "no evidence"
that the login credentials were taken from the company's systems.
How the cyberattack against PayPal was perpetrated
PayPal has more than 200 million users worldwide.
The specialized site BleepingComputer reported that the breach is the result of credential stuffing, a type of attack in which hackers "stuff" the login page with numerous keys taken elsewhere
until one finally works
This method relies on people
using the same passwords across multiple services
, so if one is breached, all the others are at risk.
The same report also claims that
34,942 accounts were compromised
and that transaction histories, connected credit or debit card details, and billing data stored by PayPal were likely also accessed.
At the moment there is no indication of what the hackers will do with the data obtained in the attack.
At this time, PayPal does not have any evidence that the data has been used, but it is safe to assume that it could well be used by cybercriminals in
or spoofing attacks, as well as other forms of social engineering attacks.
To protect its users, PayPal claims to have reset the passwords of affected users and "enhanced security controls" that require them to set up a new account at their next login.
In addition, in the form of compensation, users received one year of free identity monitoring services through Equifax, a US credit company.
Strong passwords, the key to prevent cybercriminals from violating the security of an account.
On the other hand, the company recommends that the recipients of the notices
change the passwords
using a unique and long chain, more robust, to avoid new incidents.
Generally, a good password is at least 12 characters long and includes alphanumeric characters and symbols.
In addition, PayPal advised that they
turn on two-factor authentication protection
from the 'Account Settings' menu, which can
prevent an unauthorized user from accessing an account, even if they have a valid username and password.
How to shield yourself against cyberattacks: from the "digital condom" to FIDO keys and encrypted disks
How to know if your cell phone has been tapped and what to do to protect yourself