PayPal has sent breach notifications to 34,942 users this week. Their notification reads, in part:
On December 20, 2022, we confirmed that unauthorized parties were able to access your PayPal customer account using your login credentials. We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems.
Based on PayPal’s investigation to date, we believe that this unauthorized activity occurred between December 6, 2022, and December 8, 2022, when we eliminated access for unauthorized third parties.
During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users.
We have not delayed this notification as a result of any law enforcement investigation.
WHAT INFORMATION WAS INVOLVED?
The personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth.
The full notification letter has been uploaded here.
In a related submission to the Maine Attorney General’s Office, PayPal indicates that this was likely a credential stuffing attack:
On behalf of PayPal, Inc. (“PayPal”), and pursuant to Me. Rev. Stat. Ann. tit. 10 § 1348(5), this letter provides notice of a credential stuffing incident involving Maine residents. PayPal is a financial technology company headquartered in San Jose, California.
Based on PayPal’s investigation to date, we believe that an unauthorized party was able to access PayPal accounts using the customers’ login credentials between December 6, 2022, and December 8, 2022, when we eliminated the access for unauthorized third parties to our systems. It is likely that the unauthorized party obtained the login credentials via phishing or related activity, unrelated to PayPal. However, there is no evidence that the account login credentials were obtained from any PayPal systems.
The full submission has been uploaded here.
So far, there is no statement as to the source of the credentials used in this incident.