PayPal has confirmed that between December 6 and December 8 2022, nearly 35,000 accounts were accessed via a credential stuffing attack, which led to a leak of personal information like users’ names, addresses, social security numbers and tax identification numbers.
The company stressed it has no evidence that personal information was misused as a result of the attack.
PayPal claims that this was not a result of a breach in its systems, since no evidence suggests that the user credentials were obtained directly from them.
The hackers were able to access the accounts by using credential stuffing, whereby pairs of usernames and passwords sourced from data leaks are tried on various websites. With the help of bots, lists of credentials are inserted into login portals for various services. Users who employ the same password for multiple online accounts, known as password recycling, are most prone to credential-stuffing attacks.
Some sections of the Tech community blame PayPal users for the attacks.
PCWorld says, “PayPal wasn’t hacked, and none of these accounts would have been compromised if their owners followed some fundamental online security practices”
It added, Don’t reuse passwords across accounts, especially ones that hold ultra-sensitive private or banking information (like PayPal).
Kenyan Business Feed is the top Kenyan Business Blog. We share news from Kenya and across the region. To contact us with any alert, please email us to [email protected]