Cyber Incident Victim: PayPal

PayPal detected unauthorized access to customer accounts between December 6 and December 8, 2022, later confirmed to be the result of a credential-stuffing attack. The company discovered the breach on December 20, 2022, when it identified that attackers had successfully logged into accounts using compromised credentials. An immediate investigation revealed the attackers maintained access for a three-day window, during which they viewed and potentially exfiltrated sensitive personal information. PayPal determined the attackers targeted an undisclosed number of customer accounts through automated login attempts using credentials presumably obtained from unrelated third-party breaches. The company's security team contained the incident by December 8, though full discovery of the breach's scope required extended forensic analysis lasting approximately one month.

The compromised data included full names, physical addresses, Social Security numbers, individual tax identification numbers, and dates of birth – sufficient information to enable identity theft and financial fraud. PayPal completed its review of affected records by January 18, 2023, when it simultaneously filed a breach notification with the Maine Attorney General's Office and initiated consumer notification letters. The breach impacted an undisclosed number of PayPal's 426 million active users, though the company confirmed the attackers only accessed accounts where credentials were successfully matched. No evidence suggested compromise of PayPal's internal systems or infrastructure, as the attack exploited reused customer credentials rather than system vulnerabilities. Financial transaction data and passwords reportedly remained secure, with the breach limited to personal identification information stored in user profiles.