Got PayPal? A recent data breach may have compromised your personal information

January 23, 2023 Tita Jane 0 Comments data breach, PayPal

I was alerted through news article of a data breach at PayPal that could have compromised thousands of accounts. According to reports, close to 35,000 PayPal accounts are affected. The breach by an unauthorized third-party happened last December 2022, specifically between December 6 to 8 as well as December 20. It was only on December 20 when the breach was discovered.

PayPal has already taken steps as a result of the breach. PayPal reset the passwords of affected PayPal accounts and implemented enhanced security controls that will require these accounts to provide a new password the next time they log in. Warning emails were sent to these accounts to inform them of the breach, PayPal’s response, and actions that the account owners need to take.

In addition, the affected users are being given a two-year complimentary membership to Equifax, an identity monitoring service.

Was PayPal hacked?

NO, PayPal was NOT hacked. The data breach happened because the affected users did not take enough steps to secure their accounts.

How did the breach happen then?

The breach was done by credential stuffing, a type of attack where hackers use automation to inject stolen username and password pairs, that are already on the dark web from previous data breaches on other sites, into login forms.

Those who use credential stuffing take advantage of users with weak online security protocols such as those who use the same username and password to log into multiple sites, do not regularly change their passwords, and often, do not employ two- or multiple-factor authentication.

What personal information was exposed?

PayPal disclosed in their incident report that personal information exposed could include name, postal address, Social Security number, individual tax identification number, and/or date of birth.

It is also possible that invoicing data and credit/debit card details were likewise exposed. While it is not yet clear what could happen as a result of this exposure, I can make a guess that, with that information, identity theft or phishing are possibilities.

What to do if you received a warning email from PayPal?

If you are one of those who received a warning email from PayPal regarding this data breach, you must immediately take steps to strengthen your PayPal account.

Immediately change your password and use a strong one that uses upper and lowercase letters, numbers, and symbols. The maximum password limit of PayPal is 20 characters. I use the full 20-character limit with a combination of letters, numbers, and symbols.
Enable two-factor authentication (2FA) – Using a desktop browser, Click the Settings icon (the gear) and go to the Security tab. From there you can active 2FA.

Here’s what it looks like when 2FA is active

PayPal is one of those sites I am really paranoid about because it involves money. That, my e-wallet sites, and banking apps all have 2FA activated. Plus, I use really looooooong passwords (more than 20 characters if available). I also do not reuse passwords and I do not use the same password on different sites.

The Christmas season is especially attractive to these bad elements. Last November, I received two requests to pay unknown people and they were asking for hundreds of dollars each. I have no business that requires me to pay anyone, except for my blogging host provider.

I promptly reported these fraudulent invoices to PayPal and just ignored the requests. Well, what do you know? Just this month, both those fraudulent invoices were cancelled. I do not know if those people did it or PayPal did. But I am relieved that I no longer have them as pending requests for payment on my feed.

Stay digitally safe!