PayPal Hack Exposes Customers’ Social Security Numbers, Names

Thousands of PayPal’s customers’ Social Security numbers and names have been exposed in a hack, according to reports.

Some 35,000 PayPal user accounts have been hacked by “credential stuffing.”

The breach resulted in hackers obtaining confidential information on PayPal’s customers, according to a notification posted on a government website.

The California-based payment processor sent a notice to Maine’s attorney general via its lawyers.

On January 19, the company also sent a letter about the data breach to impacted users.

That letter said that the accounts were breached sometime between December 6 and Dec. 8, 2022.

The company said that it was able to deal with the attack soon after it occurred, according to the letter.

The notification to users said (pdf) that 34,942 users were impacted by the incident and that unauthorized third parties gained access to their accounts.

Those third parties, which were not identified, could view full names, dates of birth, Social Security numbers, addresses, and tax identification numbers.

“We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account,” said PayPal’s letter.

Specifically, the hackers used a “credential stuffing” attack that involves automatically injecting login credentials that were found during previous data breaches.

“If you detect any suspicious activity on an account, change the password and security questions immediately, and promptly notify the company where the account is maintained,” PayPal said.

“You may also add additional security for your PayPal account by enabling ‘2-step verification’ in your Account Settings.

Slay the latest News for free!

We don’t spam! Read our privacy policy for more info.

“When links are present in an email, individuals should hover [their] mouse over the links to view the actual destination URL and should not click on the link if [they] are unsure of the destination URL or website.”

Furthermore, the company said it has reset passwords on the afflicted PayPal accounts.

Impacted users will also get free identity monitoring services from Equifax, the consumer credit reporting company.

In a statement to PCMag, the company maintained that it was only a “small number of PayPal customer accounts” that were impacted by the breach.

“PayPal’s payment systems were not impacted, and no financial information was accessed,” the firm said.

“We have contacted affected customers directly to provide guidance on this matter to help them further protect their information.

“The security and privacy of our customers’ account information [remain] a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused.”

Sam Curry, the chief security officer at Cybereason, told Forbes magazine that what happened was that previous hacks “led to a large population’s passwords in use elsewhere being stolen, and because people often reuse passwords and have done so for a long time.”

Elaborating, he added that “the hackers were able to brute slam PayPal accounts with these until they found 35,000 matches.”

“If a threat actor can access legitimate credentials–even if they’re dumped in a dark-web repository–they are only a few short, and in most cases, automated steps away from a successful intrusion,” Jasson Casey, the chief technology officer at Beyond Identity, told HackRead.

The security breach comes just days after T-Mobile confirmed an unidentified malicious intruder breached its network in late November 2022 and stole data on 37 million customers, according to a regulatory filing with the U.S. Securities and Exchange Commission.

T-Mobile said that the data breach was found on Jan. 5, adding that data exposed to the theft did not include critical information such as PINs, bank account numbers, credit card information, Social Security numbers, or government identification numbers.

Instead, addresses, phone numbers, and dates of birth were accessed, the filing said.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time,” T-Mobile said.

The company added that the data was first accessed around November 25, 2022, but wasn’t discovered until weeks later.

join telegram


Who is the best president?

By completing this poll, you gain access to our free newsletter. Unsubscribe at any time.

By Nick R. Hamilton

Nick has a broad background in journalism, business, and technology. He covers news on cryptocurrency, traditional assets, and economic markets.

Notify of


Would love your thoughts, please comment.x