PayPal is sending out data breach notifications to thousands of users who had their accounts accessed late last year through what’s called ‘credential stuffing’ attacks that exposed some personal data.
Credential stuffing targets users that employ the same password for multiple online accounts, which is known as “password recycling and hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.
PayPal has notified explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts.
By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials.
The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.