PayPal has begun sending data breach notices to users of its online payment service whose accounts were accessed by hackers last December. [According to BleepingComputer (opens in new tab), the company's internal systems were not compromised in this case, and the hackers behind the attack used credential stuffing to access the accounts of about 35,000 customers.

In a security incident notice (opens in new tab) sent to affected customers, PayPal explained that the attack itself took place between December 6 and 8 of last year. The company detected the attack taking place and took steps to mitigate it at that time. However, PayPal has also launched an internal investigation to determine how the culprit hackers were able to access customer accounts.

Although the company claims that the hackers were unable to execute transactions using the compromised accounts, they did manage to steal considerable sensitive information from the affected customers, including full names, dates of birth, physical addresses, Social Security numbers, and taxpayer identification numbers.

PayPal's investigation revealed that the hackers behind this attack used credential stuffing as a means of accessing customer accounts. Unlike data breaches, this attack method uses existing credentials that are already circulating on the dark web.

Credential stuffing attacks often rely on automation to crack user accounts using bots with lists of usernames and passwords obtained in previous data breaches. These bots attempt credentials across multiple online services in the hopes that customers have not recently changed their passwords.

This is why password reuse (using the same password for multiple accounts) is so dangerous. If a site or service is compromised and a hacker gets your password, they will try to use it to log into your other accounts.

If you receive a message from PayPal that your account has been compromised by hackers, the company has already reset your password. Therefore, the next time you log in, you will need to create a strong, complex, unique password for your account. This can be done with the best password managers that generate strong passwords. However, many of them offer free password generators online.

PayPal offers two years of free identity monitoring from Equifax, since hackers can do quite a lot with your name, date of birth, address, and social security number. But if you want additional protection, I recommend signing up for one of the best identity theft protection services. They will monitor your identity and also provide insurance coverage in case your identity is stolen. Should this occur, these funds can be used to get your identity back, obtain new documents, and cover other costs associated with identity theft.

PayPal also recommends enabling two-factor authentication (2FA) on your account. This helps prevent hackers from accessing your account, even if they have access to your credentials.

Password reuse, despite its risks, remains a major problem, but we hope that this incident will help convince more people to use strong, complex, and unique passwords for each of their online accounts, especially financial-related accounts. Hopefully, this incident will help convince more people to use strong, complex, and unique passwords for their online accounts, especially financial accounts.