Almost 35,000 PayPal accounts breached using known credentials

Hacker hacking on a laptop.
(Image credit: GETTY - boonchai wedmakawand)
Audio player loading…

Another friendly PSA to update those passwords, especially if you use the same ones across multiple accounts. Another breach has occurred, and it looks like attackers are using known login information used across multiple websites to get your data. This means an innocent little login on a long forgotten website might give bad actors access to more important things like your PayPal account.

According to Bleeping Computer (opens in new tab), 34,942 PayPal users have been affected by this latest credential stuffing attack on its systems. Credential stuffing is an automated approach where as many known logins as possible are stuffed into a website, which is why password recycling is a problem. 

Many websites won't have the kind of security that, say, your bank or PayPal will employ to protect your personal details. It makes sense: most people don't store their valuables in a plastic safe, but you also wouldn't put the PIN to your real safe inside one. If you're using the same password, especially if combined with the same login across multiple sites, it just makes things that much easier for the bad guys.

PayPal has found (opens in new tab) this attack took place in early December 2022, and after investigating was able to confirm the likelihood of credential stuffing being used.

Peak Storage

SATA, NVMe M.2, and PCIe SSDs on blue background

(Image credit: Future)

Best SSD for gaming (opens in new tab): the best solid state drives around
Best PCIe 4.0 SSD for gaming (opens in new tab): the next gen has landed
The best NVMe SSD (opens in new tab): this slivers of SSD goodness
Best external hard drives (opens in new tab): expand your horizons
Best external SSDs (opens in new tab): plug in upgrades for gaming laptops and consoles

For the two days the attack was running, hackers had access to all sorts of personal information, including full names, birth dates, address, social security numbers, and tax identification. They could also see PayPal transaction details that include credit card and bank information. 

But what's kind of weird is they didn't do anything with this information. At least, not yet. PayPal hasn't found evidence of the attackers trying to make transactions, or anything else from the sounds of things. It's uncertain if this was the efforts of someone simply seeing if they could, like the recent exposer of the TSA no-fly-list (opens in new tab), or if we should expect more nefarious actions to follow. 

PayPal has changed passwords and notified impacted users, along with providing two years worth of pro bono Equifax identity monitoring to keep an eye on things. The company recommends everyone enable two-factor authentication to help protect against these attacks in future, and of course change and stop recycling your passwords (opens in new tab). Especially in places you plan to keep important stuff like your identity. 

Hope Corrigan
Hardware Writer

Hope’s been writing about games for about a decade, starting out way back when on the Australian Nintendo fan site Vooks.net. Since then, she’s talked far too much about games and tech for publications such as Techlife, Byteside, IGN, and GameSpot. Of course there’s also here at PC Gamer, where she gets to indulge her inner hardware nerd with news and reviews. You can usually find Hope fawning over some art, tech, or likely a wonderful combination of them both and where relevant she’ll share them with you here. When she’s not writing about the amazing creations of others, she’s working on what she hopes will one day be her own. You can find her fictional chill out ambient far future sci-fi radio show/album/listening experience podcast (opens in new tab) right here.

No, she’s not kidding.