35k PayPal Accounts Compromised In Credential Stuffing Attack

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Jan 20, 2023 03:26 am PST

35k accounts of PayPal users were affected by a large-scale credential stuffing attack that exposed their personal information. The attack, which took place between December 6th and December 8th, 2022, was quickly detected and mitigated by the company. However, PayPal also initiated an internal investigation to determine the source of the attack and how the hackers were able to penetrate users’ accounts.

The company is taking every vital step to notify affected users and provide them with the resources they need to protect themselves from further harm. This regrettable occurrence serves as a reminder of the significance of being watchful and taking preventative actions to protect our online accounts and personal information.

PayPal’s Response To The Incident

PayPal completed its investigation on December 20th, 2022, and confirmed that unauthorized parties were able to log into the accounts using valid credentials. The company stated that this was not due to a breach in their systems, and they have no evidence to suggest that the user credentials were obtained directly from them. According to the company, close to 35,000 users were affected by the attack. 

However, it’s important to note that the credentials used in this attack could have been obtained from previous data breaches on other websites, and the users may have used the same credentials for their PayPal accounts. This highlights the importance of not using the same password for multiple online accounts and being vigilant about any suspicious activity or notifications from companies such as PayPal.

As a result of the attack, hackers had access to account holders’ personal information, including full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers. 

This type of personal information can be used for identity theft and fraud, which can have severe consequences for the affected individuals. Additionally, transaction histories, connected credit or debit card details, and PayPal invoicing data were accessible on the breached accounts, potentially exposing sensitive financial information.

Security Measures Implemented: 

PayPal took immediate action to limit the intruders’ access to the platform and reset the passwords of accounts confirmed to have been breached. The company also confirmed that the attackers have not attempted or did not manage to perform any transactions from the breached PayPal accounts. In response to the incident, PayPal has reset the accounts’ passwords and implemented enhanced security controls that will require users to establish a new password the next time they log in to their accounts. Additionally, impacted users will receive a free-of-charge two-year identity monitoring service from Equifax.

Understanding Credential Stuffing

Credential stuffing attacks involve hackers utilizing a list of details such as usernames and passwords that are obtained through data breaches on different websites in an attempt to gain access to various accounts. The attackers typically use automated tools, such as bots, to try multiple combinations of login credentials on different platforms.

This approach is particularly effective against individuals who use the same password across multiple accounts, a practice known as “password recycling.” While this may be a convenient way for users to remember multiple login credentials, it also makes them more susceptible to these types of attacks. It’s essential to use unique passwords for each account and to be vigilant about suspicious login attempts.

Precautions for Users

PayPal strongly recommends that recipients of the notices change the passwords for other online accounts using a unique and complex string. A good password should be at least 12 characters long and include a combination of alphanumeric characters and symbols. Moreover, PayPal advises users to activate multi-factor authentication (2FA) protection from the ‘Account Settings’ menu. 2FA is a more advanced layer of security that can prevent unauthorized parties from accessing an account, even if they have a valid username and password.

Why is 2FA Important?

2FA is vital because it reduces the risk of unauthorized access to your online accounts. A hacker may be able to obtain your password through various means, such as phishing or guessing. Still, they would not be able to access your account without the additional piece of information provided by 2FA. This means that even if your password is compromised, your account remains secure.

Enabling 2FA on your online accounts is an easy and effective way to greatly enhance the security of your personal information and financial transactions. In light of recent cyber-attacks, users need to take all necessary measures to protect their online accounts, and 2FA should be considered an important step in achieving this. Users should take advantage of the security features offered by online services such as PayPal to protect their personal and financial information.

Users should also be cautious of using public Wi-Fi networks and use a virtual private network (VPN) to encrypt their connection when accessing sensitive information. Additionally, users should be aware of potential phishing attempts and verify the authenticity of any communication before providing personal information or taking any action. It’s also important to monitor credit reports regularly and sign up for a credit monitoring service to detect any suspicious activity.


The recent credential-stuffing attack on PayPal serves as a reminder of the importance of strong security practices and the need to be vigilant. By following the recommended steps, such as using unique and strong passwords, activating 2FA, being cautious of public Wi-Fi networks, monitoring accounts for suspicious activity, being aware of phishing attempts, and monitoring credit reports regularly, users can help to protect themselves from falling victim to similar attacks in the future. It is also important for users to stay alert and monitor their account activities, and report any suspicious activities to PayPal immediately. 

Notify of
15 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Ted Miracco
Ted Miracco , CEO
InfoSec Expert
January 24, 2023 11:04 am

“We are not witnessing the death of password technology, but what we are witnessing (again and again) is the death of the naïveté and wishful thinking that surrounds any technology built on the premise that a single authentication source is a good idea. We have rushed to embrace SSO technologies without fully considering the obvious major disadvantage is that it constitutes a single point of failure, as the compromised password lets the intruder into all areas open to the password owner, and in the case of PayPal the consequences might be quite high for those that built their trust into these systems without additional safeguards like 2FA or hardware authentication.”

Last edited 4 months ago by Ted.Miracco
Julia O’Toole
Julia O’Toole , Founder and CEO
Industry Leader
January 24, 2023 11:03 am

“This is yet another credential stuffing attack that has been announced in the last few days, and it once again shows how attackers constantly scrape data from the dark web to exploit compromised information further.


PayPal has stated that it has no evidence of user accounts being used maliciously, but this should provide little comfort for victims. The attackers can now target these victims with phishing emails and identity theft scams and use those passwords again on other sites.


This incident highlights the unrealistic expectation of individuals having to create and remember unique passwords for all their online accounts. It’s the reason why many people use variations of the same password for all their accounts, including for their password manager account.


But in reality, this is a false assumption. People do not make their own keys, nor do they remember the specific grooves of each key. They simply find the key and use it. Equally they don’t need to create and remember their passwords either. They just need to find the password and use it.


That means they don’t need to generate passwords themselves, just as they don’t cut their own keys. Instead, individuals can use secure application solutions that generate strong, random, unique, independent passwords for each of their accounts, and crucially, store the passwords encrypted in segmented layers of security based on their importance. For example, passwords for important accounts, such as savings accounts, should be kept in the innermost layers of security, requiring multiple factors known only to the account holder to access. This way, even if one password is compromised, the rest of their accounts and passwords will be protected, and since passwords are not all sitting behind a master password, which is usually the case with password managers, people can’t lose all their passwords, accounts and data at once.


As attackers are constantly looking at ways to trick people into handing over their passwords, and with the help of AI technology like ChatGPT to craft perfect emails, it will become even easier to trick people to give away their passwords. To prevent password reuse or similar passwords, we need to move people away from user-generated passwords and encourage the use of strong unique random–generated passwords for each online account, as this may be the only strategy to stay secure online in the future.”

Last edited 4 months ago by Julia O’Toole
Mark Lamb
Mark Lamb , CEO
InfoSec Expert
January 24, 2023 10:58 am

“This incident highlights there is no data on the dark web that goes unnoticed, or unused.
PayPal customers that have had their accounts accessed must have featured in a previous data breach and when an attacker got hold of their passwords and emails, they used an automated credential stuffing attack to test them out against other sites, which then granted them with access to PayPal.
Anyone impacted by this incident must change their passwords now, not only for their PayPal account, but also for any other sites using the same access credentials.
When it comes to protecting against these threats, it is critical that internet users are taught about the importance of utilising strong and unique passwords. Organisations can also add additional security layers by implementing multi-factor authentication and implementing technology which has the ability to detect mass logins over a short period of time, which is often the number red flag warning of a credential stuffing attack.”

Last edited 4 months ago by Mark Lamb
Matt Rider
Matt Rider , VP of Security Engineering EMEA
InfoSec Expert
January 24, 2023 10:58 am

“All indications are that PayPal got their arms around this well and should be applauded for doing so.  This is likely the result of good security education within the organisation, established visibility, and effective technical capabilities. These factors are the keys to identifying and responding to compromised credentials attacks.

The sad fact is that many security operation centres (SOCs) still fail to detect credential-based attacks.  A lack of visibility into credential misuse is far more common, which makes PayPal’s efforts here are a rare exception to the norm. Organisations generally struggle to spot attackers moving laterally around their networks. 

The most effective detection capability is the development of a baseline for normal employee and endpoint behaviour, which can specifically assist security teams with identifying the use of compromised credentials for initial access and later maintaining network access.  If you know what normal behaviour looks like first, abnormalities are far easier to spot quickly”.

Last edited 4 months ago by Matt.Rider
Baber Amin
Baber Amin , COO
InfoSec Expert
January 24, 2023 10:54 am

“Another day, another credential stuffing attack. We are starting to see a pattern here, as consumers create more accounts and resuse or recycle their passwords. As consumers we need to take responsibility to safeguard our accounts, and practice good security. This includes:

 — Don’t reuse or recycle passwords (to be fair, this could be hard to do for most folks as the number of online accounts continue to mushroom)
 — Enable two factor authentication on any account or service that offers it as an option. This is your first line of defense.

“As trusted vendors, PayPal and others need to set a higher bar here. Vendors should implement:
 — Processes to monitor and identify anomalous behavior, like the vast number of login failures from a credential stuffing attack. There are multiple tools and services that can do this now. For PayPal to take multiple days to catch this should not be acceptable;
— Actively encourage customers to use two factor authentication, and not just provide it as an option. 
— Actively eliminate passwords from their user facing systems by fast tracking Fido Passkey adoption

Last edited 4 months ago by Baber Amin

Recent Posts

Would love your thoughts, please comment.x