Paypal reveals 35,000 customers accounts were affected in December attack
According to a notification letter sent to its customers, 35,000 Paypal accounts were compromised in a December credential stuffing attack. This is a form of attack where hackers try to gain access to an account by trying different login details acquired from other sources.
Paypal suspects that the hackers gained access to these accounts by leveraging passwords that the users had reused in different accounts. Yet another reason why you should never use one password for multiple accounts.
According to information submitted to the Attorney General in the US state of Maine, the attack affecting 34,942 users happened on December 6. Personal information that was exposed included customers' names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth. However, there is no evidence to show the information was used for further attacks.
"We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorised transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems," the notification letter reads.
Paypal notes that it has already taken steps to ensure that the hackers can’t access any additional information such as bank account details and has reset the passwords for the affected accounts.
The international payment platform has pledged to provide affected customers with two years of free Equifax services.
Password-based attacks continue to be a big menace with Microsoft estimating that 579 attacks are executed every second. That translates to 18 billion hacking attempts in a year. A lot of these attacks are successful because of poor password practices where users reuse one password for all their accounts or use weak passwords that can easily be broken using brute-force attacks.
Experts encourage users to ensure that multi-factor authentication is set up and when possible use passwordless login methods.
The Paypal attack comes barely two months after the company added passkeys for passwordless login to accounts across Apple devices in a move to provide a more secure authentication method compared to passwords.