PayPal has revealed 34,942 customer accounts were accessed by threat actors last month amid a security incident, risking personal information, credit card details and transaction histories among other sensitive data.

The company revealed unauthorised parties were able to access PayPal customer accounts by using their acquired login credentials.

PayPal believes the unauthorised activity took place between 6 December 2022 and 8 December 2022, during which time unauthorised parties were able to view and "potentially acquire" the personal information of certain PayPal users.

PayPal said it promptly began investigation and took action upon learning of the unauthorised activity, including taking steps to "prevent unauthorised actors from obtaining further personal information."

By 20 December, PayPal had concluded from its investigation that unauthorised third parties were able to use valid credentials to access a range of PayPal customer accounts.

The company explained it reset the passwords of the affected accounts, and implemented measures to force users to establish a new password upon next login.

The personal information exposed during this incident could include names, addresses, social security numbers, individual tax identification numbers and/or dates of birth.

Other information which is commonly accessible on PayPal accounts includes transaction histories, expiry dates and last four digits of connected credit and debit cards, and PayPal invoicing data.

"Protecting the security of our customers’ information is very important to us," said PayPal.

"We want to make clear at the outset that keeping your personal data safe and secure is and will continue to be a priority moving forward," it added.

Simple 'credential stuffing' to blame

In a data breach notification submitted to the Attorney General of the US state of Maine, the method behind the attack was revealed to be 'credential stuffing'.

A credential stuffing attack is a common method of cyber crime in which hackers use previously stolen login credentials, such as usernames and passwords, to commit droves of login attempts against a target platform.

For example, if a cyber criminal had acquired a list of stolen login credentials from a separate incident, such as the 2020 dark web dump which exposed many Zoom users' credentials, the criminal could then attempt to use those stolen login details en masse against accounts on another platform, such as PayPal.

Credential stuffing is largely contingent on a phenomena known as 'password recycling' where a user employs the same username and/or password across multiple platforms.

Common advice to protect against credential stuffing is to use separate, strong passwords for each of your accounts – this way a stolen password from one platform is less likely to be used by hackers to break into another.

The Australian Cyber Security Centre (ASCS) also encourages the use of multi-factor authentication (MFA) to add an extra layer of security against malicious login attempts.

"We recommend you update your passwords for any accounts where you are currently using the same username and password combination as those used for your PayPal account," warned PayPal.

"You may also add additional security for your PayPal account by enabling “2-step verification” in your Account Settings."

In a notice sent to impacted customers, PayPal said it had no information suggesting personal information was "misused" as a result of the incident nor did it find information suggesting "unauthorised transactions" were made in the breached PayPal accounts.

PayPal further claims there is no evidence suggesting login credentials were obtained from any its systems.

For customers whose accounts were caught up in this incident, PayPal is offering complimentary identity monitoring services from consumer credit reporting agency Equifax, which itself was hacked in 2017 in a massive attack the US pinned on China.

The two-year service includes "Identity Restoration to help restore your identity should you become a victim of identity theft," as well as "up to $1,000,000 of identity theft insurance coverage for certain out of pocket expenses resulting from identity theft."