PayPal has recently filed with the US Maine Attorney General’s Office notice of a data breach, after learning that confidential consumer information was compromised following what appears to have been a credential stuffing attack. The incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security Numbers, individual Tax Identification Numbers, and dates of birth. After confirming that consumer data was leaked, PayPal began sending out data breach notification letters to all 34,942 individuals – who were impacted by this data security incident.
Credential stuffing is a type of attack in which hackers “stuff” the login page with numerous credentials taken elsewhere until one eventually works. This method relies on people using the same passwords across multiple online services so that if one gets breached, all are at risk.
To protect its users, PayPal reset the passwords for the affected users, and “enhanced security controls”, requiring users to set up a new account on their next login. The affected users were also given two years free identity monitoring services through Equifax.
Read more about it here.