According to a Data Breach Notification report, a total of 34,942 PayPal users were affected by the data breach which saw their login details compromised. PayPal linked the privacy breach to activities of ‘unauthorized parties’ who fraudulently accessed private accounts using customer login credentials.
On how they operated, PayPal noted that whoever got into the accounts had probably gotten details of the victim’s account details like usernames and passwords from another site where the victims reused the same login details thus advising on why it’s important to use a unique password per site or app.
According to the letter sent on January 18, 2023, to PayPal users, the payment platform noted that the abnormality was first discovered on December 20, 2022.
After investigations, PayPal discovered the unauthorized activity occurred between December 6, 2022, and December 8, 2022, when the platform eliminated access for unauthorized third parties.
It added “We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems.”
Some of the customer details exposed during the breach included customers’ names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth.
On the actions taken since it discovered the breach, PayPal said “Upon learning about this unauthorized activity, we promptly began an investigation and took action to address this incident, including by taking steps to prevent unauthorized actors from obtaining further personal information. We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you login to your account.”
The platform also announced it had secured the services of Equifax, a credit monitoring firm, to provide identity monitoring services at no cost to users for two years.