DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

34,942 PayPal users notified of data security incident in December

Posted on January 19, 2023 by Dissent

PayPal has sent breach notifications to 34,942 users this week. Their notification reads, in part:

On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials. We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems.

Based on PayPal’s investigation to date, we believe that this unauthorized activity occurred between December 6, 2022, and December 8, 2022, when we eliminated access for unauthorized third parties.

During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users.

We have not delayed this notification as a result of any law enforcement investigation.

WHAT INFORMATION WAS INVOLVED?
The personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth.

The full notification letter has been uploaded here.

In a related submission to the Maine Attorney General’s Office, PayPal indicates that this was likely a credential stuffing attack:

On behalf of PayPal, Inc. (“PayPal”), and pursuant to Me. Rev. Stat. Ann. tit. 10 § 1348(5), this letter provides notice of a credential stuffing incident involving Maine residents. PayPal is a financial technology company headquartered in San Jose, California.

Based on PayPal’s investigation to date, we believe that an unauthorized party was able to access PayPal accounts using the customers’ login credentials between December 6, 2022, and December 8, 2022, when we eliminated the access for unauthorized third parties to our systems. It is likely that the unauthorized party obtained the login credentials via phishing or related activity, unrelated to PayPal. However, there is no evidence that the account login credentials were obtained from any PayPal systems.

The full submission has been uploaded here.

So far, there is no statement as to the source of the credentials used in this incident.

Related:

  • Commentary: Repeated insider breaches at TD Bank…
  • Kept in the Dark -- Meet the Hired Guns Who Make…
  • Break Down and Insight into Project Sun Rise African…
  • What OPSEC? Member of "thedarkoverlord" allegedly…
  • Unencrypted laptops still a major cause of breach…
Category: Business SectorHackOf NoteOtherU.S.

Post navigation

← New Cybersecurity Directives (NIS2 and CER) Enter into Force in EU
No evidence of personal data leak amid national security probe: NHIA →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack
  • Marquette County Medical Care Facility discloses data breach
  • Industry Letter – June 23, 2025: Impact to Financial Sector of Ongoing Global Conflicts
  • MNGI Digestive Health settles class action lawsuit stemming from BlackCat attack
  • Four REvil ransomware members released after time served on carding charges
  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.