The PayPal Data Breach: How, Why & Lessons for the Future

PayPal, the massive online payment platform, has recently sent out data breach notifications to tens of thousands of users who have had their accounts accessed due to a credential stuffing attack that exposed personal client data. According to accounts from PayPal, the attack occurred sometime between December 6th and 8th, 2022. PayPal immediately rectified the issue after being notified by December 20th, but not until after almost 35,000 users had been impacted by the incident. For those users that were affected, hackers had access to the account holder’s full names, dates of birth, postal addresses, social security numbers, credit card numbers, and individual tax identification numbers.

How did this happen?

The hackers used a technique called credential stuffing, this is where an attacker attempts to access an account by using usernames and password pairs that were obtained from data leaks on different websites. This technique typically uses automation, by using computer bots that use pre-made lists of username and password pairs to guess thousands of combinations per minute. Credential stuffing targets users that use the same username and password combinations across multiple accounts, commonly referred to as “password recycling”.

What was the result?

As mentioned previously, roughly 35,000 users were affected in this data breach. However, PayPal’s official statement reads “We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account”. When it came to remediation, PayPal took the following actions:

“We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account” – PayPal

How could this have been prevented?

Credential stuffing attacks can be difficult to defend against because it exploits a mismanagement of accounts on behalf of the user. However, it’s not impossible. By using a holistic security approach organizations can prevent these types of issues before they happen. Security controls such as multi-factor authentication, mandatory password rotations, encryption, and data anonymization are all key to preventing a breach of this nature. PayPal users can also create extra protections for themselves by changing passwords regularly (not only when prompted), using unique passwords, reviewing account security settings, and setting up text or email alerts to spot fraudulent activity.

About Paperclip SAFE
In September 2022, Paperclip launched Paperclip SAFE, a breakthrough solution specifically designed to prevent data theft and ransomware attacks, both on premise and in the cloud. The solution – trusted by Paperclip, Inc. for more than two years to keep its Fortune 1000 client’s data safe – does so using breakthrough encryption-in-use technology. For more information, visit