SOCRadar® Cyber Intelligence Inc. | PayPal Reveals Credential Stuffing Attack That Affected 35K Users


Jan 20, 2023
3 Mins Read

PayPal Reveals Credential Stuffing Attack That Affected 35K Users

PayPal has disclosed that it was hit by a credential stuffing attack last month. The online payment platform notifies all users whose data has been compromised due to the attack. 

Hackers carry out credential stuffing attacks using lists of credentials obtained from the dark web, data leaks, or other sources. The attack relies on users recycling their passwords throughout multiple websites. A bot is typically used in the attack, and the hackers gain access to any accounts with matching usernames and passwords. 

The attack occurred between December 6 and December 8, according to PayPal, and the company was able to detect the incident and work around it. PayPal conducted an additional internal system investigation to determine the attack vector and discovered it was a credential stuffing attack by December 20. 

Which Data Is Impacted? 

According to the company, unauthorized attackers could access 34,942 PayPal users’ accounts. Account holders’ full names, birthdates, postal addresses, social security numbers, and unique tax identification numbers were available to hackers for two days. 

Thus, threat actors also had the opportunity to access transaction histories, relevant credit or debit card information, and information about PayPal invoices.

PayPal responded quickly to the breach by limiting the attackers’ access to the system and changing the passwords of the affected accounts. The company claims that the incident was not the result of a system breach, and there was no proof that attackers directly stole user credentials from the platform. 

Furthermore, the notification from PayPal states that the attackers have not attempted any transactions after accessing the users’ accounts. 


The company urges those who receive the notices to change their passwords for other accounts to stronger ones that are unique and long.

Additionally, PayPal suggests that users enable two-factor authentication (2FA) security through the ‘Account Settings’ menu, which can prevent an unauthorized person from accessing an account even if they have a valid username and password. 

For compensation, PayPal will provide affected users with a free two-year identity monitoring service

Monitor Leaked Credentials with SOCRadar 

SOCRadar enables monitoring credentials posted on various platforms. Cybercriminals may share credential databases on dark web forumsTelegram channels, and other environments that SOCRadar monitors. To find out if your data has been leaked, you can access a free dark web report for your domain through SOCRadar Labs.

Get a free dark web report with SOCRadar Labs and find out if any leaked credentials are related to your organization.

Find out if your data has been exposed.

Visit another blog on SOCRadar to learn more about security measures that can thwart credential stuffing incidents. The same security steps mentioned in the blog can also help lower the risks and restore the security of your data if it has already been compromised.