Categories: Tech

Social Security Numbers Stolen In PayPal Cyber Attack

Another reason why you should set good passwords and use two-factor authentication.
Sarah Tew/CNET

The Social Security numbers and other personal information of about 35,000 PayPal users was stolen in a December credential-stuffing attack, the company said in a Wednesday regulatory filing.

According to a documents filed with the state of Maine, the attack occurred between Dec. 6 and Dec. 8 of last year and was discovered on Dec. 20. In addition to Social Security numbers, user names, addresses, dates of birth and individual tax identification numbers also may have been compromised.

There’s no indication that any financial information was stolen, or that customer accounts were misused, PayPal said. The company’s payment systems were also not affected.

In a statement released to CNET on Thursday, PayPal said it has contacted affected customers and offered guidance on how to further protect their personal information. The company also reset the passwords of all of the affected accounts and is requiring their users to set new ones the next time they log in.

PayPal is also providing those affected with identity theft monitoring services through Equifax for the next two years,

In a credential-stuffing attack, cybercriminals bombard online accounts with combinations of user names and passwords, often stolen in previous data breaches, in an attempt to access as many accounts as possible.

That’s a big reason why cybersecurity experts say consumers should always enable two-factor authentication whenever possible. The security measure requires a second form of authentication, like a fingerprint or a code sent to a user’s phone, in addition to a password, protecting a user in the event their password is compromised.

In addition, people should always use long, unique and random passwords for each of their online accounts. Those will be less likely to show up on the lists of passwords used to crack accounts in credential-stuffing attacks.