Cyberattack on PayPal Exposes User Social Security Numbers

Cybercriminals used a credential-stuffing attack to crack user accounts, the company says.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
2 min read
PayPal logo

Another reason why you should set good passwords and use two-factor authentication.

Sarah Tew/CNET

Cybercriminals made off with the Social Security numbers and other personal information of about 35,000 PayPal customers after a December credential-stuffing attack.

According to a disclosure statement filed with the state of Maine, the attack occurred between Dec. 6 and Dec. 8 of last year and was discovered on Dec. 20. In addition to Social Security numbers, usernames, addresses, dates of birth and individual tax identification numbers also may have been compromised.

There's no indication that any financial information was stolen, or that customer accounts were misused, PayPal said. The company's payment systems were also not affected. 

In a statement released to CNET, PayPal said it has contacted affected customers and offered guidance on how to further protect their personal information. The company also reset the passwords of all of the affected accounts and is requiring their users to set new ones the next time they log in.

PayPal is also providing those affected with identity theft monitoring services through Equifax for the next two years,

In a credential-stuffing attack, cybercriminals bombard online accounts with combinations of user names and passwords, often stolen in previous data breaches, in an attempt to access as many accounts as possible.

That's a big reason why cybersecurity experts say consumers should always enable two-factor authentication whenever possible. The security measure requires a second form of authentication, like a fingerprint or a code sent to a user's phone, in addition to a password, protecting a user in the event their password is compromised.

In addition, people should always use long, unique and random passwords for each of their online accounts. Those will be less likely to show up on the lists of passwords used to crack accounts in credential-stuffing attacks. And here's what to do if you think your Social Security number has been stolen.