Nearly 35,000 PayPal users had their personal information, including Social Security and tax identification numbers, exposed to hackers, according to the company.
PayPal is sending data breach notices to thousands of users, according to BleepingComputer, which was first to report the news. On Wednesday, PayPal also notified Maine’s attorney general about the incident, saying it affected 34,942 users.
The hackers accessed the user information not by breaching PayPal’s internal systems, but by successfully guessing login passwords. Specifically, the hackers resorted to a “credential stuffing” attack, which involves automatically injecting login credentials uncovered in past data breaches.
The login attempts occurred last month between Dec. 6-8, before PayPal began eliminating the hackers’ access. Fortunately, the attackers refrained from making any fraudulent transactions over the affected accounts. Nevertheless, the culprits were able to access sensitive personal information from thousands of users, which could be exploited to conduct identity theft schemes and other scams.
“The personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth,” PayPal wrote in the data breach notice it’s been sending to affected consumers.
In a statement to PCMag, PayPal downplayed the incident, saying only a “small number of PayPal customer accounts” had been affected.
“PayPal’s payment systems were not impacted, and no financial information was accessed,” a company spokesperson said. “We have contacted affected customers directly to provide guidance on this matter to help them further protect their information. The security and privacy of our customers’ account information remains a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused.”
In its data breach notice, PayPal further noted: “We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.” In addition, the company has reset passwords on the affected PayPal accounts.
Still, victims should be on guard. For example, the hackers could use the exposed personal information to open credit cards or file a tax return with the goal of stealing the user's refund from the IRS. In response, PayPal plans on offering affected victims two years of free identity monitoring services.
The incident is also a reminder to use unique, hard-to-guess passwords on your most important login accounts. You should also activate the account’s two-factor authentication, which can make it harder for hackers to break in even if they successfully obtained your password.