DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

34,942 PayPal users notified of data security incident in December

Posted on January 19, 2023 by Dissent

PayPal has sent breach notifications to 34,942 users this week. Their notification reads, in part:

On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials. We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems.

Based on PayPal’s investigation to date, we believe that this unauthorized activity occurred between December 6, 2022, and December 8, 2022, when we eliminated access for unauthorized third parties.

During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users.

We have not delayed this notification as a result of any law enforcement investigation.

WHAT INFORMATION WAS INVOLVED?
The personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth.

The full notification letter has been uploaded here.

In a related submission to the Maine Attorney General’s Office, PayPal indicates that this was likely a credential stuffing attack:

On behalf of PayPal, Inc. (“PayPal”), and pursuant to Me. Rev. Stat. Ann. tit. 10 § 1348(5), this letter provides notice of a credential stuffing incident involving Maine residents. PayPal is a financial technology company headquartered in San Jose, California.

Based on PayPal’s investigation to date, we believe that an unauthorized party was able to access PayPal accounts using the customers’ login credentials between December 6, 2022, and December 8, 2022, when we eliminated the access for unauthorized third parties to our systems. It is likely that the unauthorized party obtained the login credentials via phishing or related activity, unrelated to PayPal. However, there is no evidence that the account login credentials were obtained from any PayPal systems.

The full submission has been uploaded here.

So far, there is no statement as to the source of the credentials used in this incident.

No related posts.

Category: Business SectorHackOf NoteOtherU.S.

Post navigation

← New Cybersecurity Directives (NIS2 and CER) Enter into Force in EU
No evidence of personal data leak amid national security probe: NHIA →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Chinese hackers suspected in breach of powerful DC law firm
  • Qilin Emerged as The Most Active Group, Exploiting Unpatched Fortinet Vulnerabilities
  • CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
  • McDonald’s McHire leak involving ‘123456’ admin password exposes 64 million applicant chat records
  • Qilin claims attack on Accu Reference Medical Laboratory. It wasn’t the lab’s first data breach.
  • Louis Vuitton hit by data breach in Türkiye, over 140,000 users exposed; UK customers also affected (1)
  • Infosys McCamish Systems Enters Consent Order with Vermont DFR Over Cyber Incident
  • Obligations under Canada’s data breach notification law
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.