Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
According to reports, PayPal notified the United States Attorney General's Office of Maine (Maine), saying that they discovered that they had been hacked on December 20, 2022, and after investigation believed that the incident occurred between December 6 and 8. Credential stuffing attack, the total number of affected users is 34,942. PayPal pointed out that the attack may lead to the disclosure of customer information, including: name, address, security code, personal tax information, phone number and birthday. However, PayPal emphasized that no user personal information has been stolen. PayPal also mentioned that it has provided 24 months of credit theft monitoring services for affected users. PayPal added that this incident is not a PayPal system vulnerability, but that users repeatedly use the same set of account numbers and password combinations on different services or websites, allowing hackers to steal, purchase, or obtain user account numbers, passwords, etc. from other places, and then use a large number of Account and password combination, crack PayPal account. Attack method (per SlowMist): Credential stuffing attack. Reported loss: -.
- chain
- —
- protocol
- PayPal
- bug_class
- unknown
- date_occurred
- 2022-12-06
- loss_usd
- —
- source_id
- sm:paypal::2022-12-06