PayPal: 35,000 Users Had Social Security, Tax Info Exposed To Hackers

Nearly 35,000 PayPal users had their personal information, including social security and tax identification numbers, exposed to hackers, according to the company.

PayPal has begun sending out the data breach notices to thousands of users, according(Opens in a new window) to BleepingComputer, which was first to report the news. On Wednesday, PayPal also notified(Opens in a new window) Maine’s Attorney General about the incident, saying it affected 34,942 users. 

The hackers accessed the user information not by breaching PayPal’s internal systems, but by successfully guessing the login passwords. Specifically, the hackers resorted to a “credential stuffing” attack, which involves automatically injecting login credentials uncovered in past data breaches. 

The login attempts occurred last month between Dec. 6th and Dec. 8th before PayPal began eliminating the hackers’ access. Fortunately, the attackers refrained from making any fraudulent transactions over the affected accounts. Nevertheless, the culprits were able to access sensitive personal information from thousands of users, which could be exploited to conduct identity theft schemes and other scams.  

“The personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth,” PayPal wrote(Opens in a new window) in the data breach notice it’s been sending to affected consumers.  

In a statement to PCMag, PayPal played down the incident, saying only a relative “small number of PayPal customer accounts” had been affected. 

“PayPal’s payment systems were not impacted, and no financial information was accessed,” a company spokesperson said. “We have contacted affected customers directly to provide guidance on this matter to help them further protect their information. The security and privacy of our customers’ account information remains a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused.”

Recommended by Our Editors

In its data breach notice, PayPal further noted: “We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.” In addition, the company has reset the passwords to the affected PayPal accounts. 

Still, victims should be on guard. For example, the hackers could use the exposed personal information to open credit cards or file a tax return with the goal of stealing the user’s refund from the IRS. In response, PayPal plans on offering affected victims two years of free identity monitoring services.

The incident is also a reminder to use unique, hard-to-guess passwords on your most important login accounts. You should also activate the account’s two-factor authentication, which can make it harder for hackers to break in even if they successfully obtained your password. 

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0