---
title: "PayPal Credential Stuffing Attack: Data of nearly 35,000 Accounts at Risk | Phish Protection"
description: "Nearly 35,000 PayPal customers were the victim of a credential stuffing attack where threat actors got access to their personal and financial information."
image: "https://phishprotection.com/og/blog/paypal-credential-stuffing-attack-data-of-nearly-35000-accounts-at-risk.png"
canonical: "https://phishprotection.com/blog/paypal-credential-stuffing-attack-data-of-nearly-35000-accounts-at-risk/"
---

Quick Answer

Nearly 35,000 PayPal customers were the victim of a \[credential stuffing attack\](/phishing-awareness/what-is-credential-stuffing-attack-and-why-paramount-protect-your-organization) where threat actors got access to their personal and \*\*financial information\*\*. This text shares details about the attack, what actually happened, how PayPal handled the case, what the organization is doing for the affected customers, and how you can

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fpaypal-credential-stuffing-attack-data-of-nearly-35000-accounts-at-risk%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=PayPal%20Credential%20Stuffing%20Attack%3A%20Data%20of%20nearly%2035%2C000%20Accounts%20at%20Risk&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fpaypal-credential-stuffing-attack-data-of-nearly-35000-accounts-at-risk%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fpaypal-credential-stuffing-attack-data-of-nearly-35000-accounts-at-risk%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fpaypal-credential-stuffing-attack-data-of-nearly-35000-accounts-at-risk%2F&title=PayPal%20Credential%20Stuffing%20Attack%3A%20Data%20of%20nearly%2035%2C000%20Accounts%20at%20Risk "Share on Reddit") [ ](mailto:?subject=PayPal%20Credential%20Stuffing%20Attack%3A%20Data%20of%20nearly%2035%2C000%20Accounts%20at%20Risk&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fpaypal-credential-stuffing-attack-data-of-nearly-35000-accounts-at-risk%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/01/zero-day-attack-prevention-2040.jpg) 

Nearly 35,000 PayPal customers were the victim of a [credential stuffing attack](/phishing-awareness/what-is-credential-stuffing-attack-and-why-paramount-protect-your-organization) where threat actors got access to their personal and **financial information**. This text shares details about the attack, what actually happened, how PayPal handled the case, what the organization is doing for the affected customers, and how you can protect your PayPal accounts and data.

PayPal has sent out a recent **data breach notification** to thousands worldwide, informing them of a credential stuffing attack the enterprise suffered where the **threat actors** were able to conduct large-scale credential stuffing attacks that have exposed the personal data of nearly 35,000 PayPal customers . Here’s a comprehensive look into the incident covering how and when the [cyberattack](https://abcnews.go.com/Health/wireStory/cyberattack-top-indian-hospital-highlights-security-risk-94684104) occurred and what customers can do to protect their accounts.

### The PayPal Credential Stuffing Attack at a Glance

PayPal confirmed that threat actors were able to **access** PayPal customer accounts on 20 December of last year by utilizing legitimate [login credentials](https://www.business-standard.com/article/technology/facebook-reveals-login-credentials-of-1-mn-users-stolen-by-malicious-apps-122100800900%5F1.html).

> 

PayPal initially outlined that the organization had no information that suggested the **misuse** of personal information due to the cyberattack and stated, “There is also **no evidence** that your login credentials were obtained from any PayPal systems.”

However, based on the investigation that the organization has carried out to date, they have found many details regarding the cyberattack. The [threat actors](/phishing/threat-actors-exploit-adobes-creative-cloud) **breached** PayPal’s systems between 6 December 2022 and 8 December 2022, during which time the threat actors viewed and **potentially acquired** the personal information of PayPal’s customers.

### What Data did the Threat Actors Access?

> “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle

Claiming that the cyberattack was not due to a breach in its systems, PayPal has[revealed](https://www.documentcloud.org/documents/23578067-paypal-notice?responsive=1&title=1)that 34,942 of its customers have been impacted by the incident, during which the threat actors had **access** to the personal information of these users and could have made away with the **sensitive information**.

![Zero day attack prevention](https://media.mailhop.org/phishprotection/images/2023/01/zero-day-attack-prevention-2040.jpg) 

The information that the threat actors had access to includes full names, dates of birth, postal addresses, individual tax identification numbers , and social security numbers, all of which are crucial information meant to be kept private, which threat actors can use for [malicious](https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packages-install-info-stealing-malware/) purposes. Apart from this, the threat actors also had access to connected credit and debit card details, **transaction** histories of the customers, and PayPal invoicing data.

### What is PayPal Doing for Affected Customers?

PayPal was **prompt** in its approach and, upon discovering the [data breach](/phishing/data-breaches-how-they-impact-small-businesses), leaped into action, beginning its investigation into the cyberattack and **resetting the passwords** of all affected PayPal accounts to prevent threat actor access to these and the personal and financial information contained within said accounts.

_Furthermore, PayPal implemented enhanced [security controls](https://www.ibm.com/topics/security-controls) to require the affected customers to establish a new password at the following account login so the **threat actors would be at bay**._

On the other hand, PayPal secured Equifax to provide [identity monitoring](https://www.consumerfinance.gov/ask-cfpb/what-is-identity-monitoring-or-identity-theft-protection-service-en-1369/) services to its affected customers at **no extra costs** for the next two years and also provided information on how customers can avail of these. The **Equifax** identity monitoring will enable the affected customers to:

- Get annual access to their credit report from all 3-bureaus and their VantageScore credit scores.
- Check their Equifax credit report daily and receive updates on their 1-bureau VantageScore credit score.
- Monitor their credit with notifications for critical changes to their credit reports from all 3-bureaus.
- Receive WebScan alerts if their personal information, such as Social Security Number, credit/debit card, or bank account numbers, are found on fraudulent websites.
- Enjoy automatic fraud alerts, blocked inquiry alerts, and the ability to lock their Equifax credit report to help protect against identity theft.
- Receive Identity Restoration assistance to help restore their identity should they become a victim of identity theft, with a dedicated specialist working on their behalf.
- Benefit from up to $1,000,000 of identity theft insurance coverage for certain out-of-pocket expenses resulting from identity theft.
- Get Lost Wallet Assistance if their wallet is lost or stolen, and one-stop assistance in canceling and reissuing credit, debit, and personal identification cards.

### What can Customers do to Protect their Accounts and Information?

PayPal has taken steps to ensure the accounts are protected. Still, the customers must ensure that they are not breached again, and that threat actors do not leverage the stolen information in [social engineering attacks](/phishing-awareness/social-engineering-attack-twilio-compromises-employee-accounts-customer-data). The affected customers need to:

![Zero day attack prevention](https://media.mailhop.org/phishprotection/images/2023/01/zero-day-attack-prevention-3714.jpg) 
- **_Change Passwords:_**Change your passwords immediately, using a strong and unique password for each account. **Password recycling** (Using the same password for different accounts) can open you up to malicious targeting and compromise more accounts, which is why you need to change passwords on other websites and applications, too, if you use the same one.
- **_Enable Two-Factor Authentication:_**Enable [two-factor authentication (2FA)](https://www.wired.com/story/google-two-factor-authentication-default/) on your PayPal accounts by navigating to the “Account Settings” menu. 2FA can offer **enhanced protection** by preventing unauthorized access to the accounts by requiring additional [biometrics](https://www.geeksforgeeks.org/what-is-biometrics/) or PINs at login.
- _**Monitor Accounts:**_ Monitor your accounts for suspicious activity and report any unauthorized access to the relevant service provider. With the Equifax benefits that PayPal is providing to affected customers, this should be an easy one. You can also go for an online protection service, but be sure to be [using the best service to protect your identity online](https://www.homesecurityheroes.com/best-identity-theft-protection-services-reviews/).
- **_Be Cautious of Phishing:_**Be cautious of [phishing](/resources/what-is-phishing) attempts, which may try to trick them into revealing personal information or login credentials. Threat actors may utilize the stolen personal information to **target** you in [spear phishing](/content/phishing-prevention/spear-phishing-examples) attacks or use your information to target others. If you receive any unsolicited emails with telltale **phishing signs**, you need to stay protected.
- \_ \_ **_Use a Password Manager:_**Use a [password manager](https://www.malwarebytes.com/what-is-password-manager) to generate and store strong , unique passwords for each account. Password managers can keep your passwords safe and generate long strings of passwords that are **tough to break**

.

- **_Keep Software Updated:_**Keep the software and apps on all your devices updated. **Software updates** contain security and app upgrades that can keep your devices free from [malware](/content/protection-against-malware/what-is-malware) or **spyware** that the threat actors may try to drop using emails.
- **_Use Reliable Anti-Virus and Anti-Malware:_**Use reliable anti-virus and **anti-malware software** to protect your devices from malicious software. [Anti-virus](https://www.bleepingcomputer.com/news/security/antivirus-and-edr-solutions-tricked-into-acting-as-data-wipers/) software can also scan and flag **suspicious emails** to provide you with protection.

### Final Words

The recent PayPal credential stuffing attack is a reminder of the significance of [protection from phishing](/) and the need for individuals and businesses to take **proactive measures** to protect their accounts and personal information.

The attack, which affected nearly 35,000 accounts, highlights the **potential risks** associated with using the same login credentials across multiple accounts and the importance of using strong, unique passwords and enabling 2FA to thwart cyberattacks.

It also emphasizes the need for businesses to implement robust **security measures** to protect against these types of attacks, as [cybersecurity](/content/cybersecurity-in-a-nutshell) is not achieved by the organization or its customers but is a **collective effort** of the two at a unit level.

![Zero day attack prevention](https://media.mailhop.org/phishprotection/images/2023/01/zero-day-attack-prevention-4743.jpg) 

Moving forward, individuals should be **vigilant**, monitor their accounts for suspicious activity, and **immediately report** any unauthorized access to PayPal or other service providers. It is essential to be cautious of phishing attempts and to use reliable anti-virus and anti-malware software to protect devices from malware and other [malicious software](https://www.xcitium.com/blog/pc-security/what-is-malicious-software/).

## Topics

[ Cybersecurity ](/tags/cybersecurity/)[ Phishing ](/tags/phishing/)[ Phishing Awareness ](/tags/phishing-awareness/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Intermediate 5m  American Airlines Suffers Employee Email Data Breach, Personal Information at Risk  Oct 4, 2022 ](/blog/american-airlines-suffers-employee-email-data-breach-personal-information-risk/)[  Intermediate 5m  BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign  Jan 18, 2023 ](/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign/)[  Intermediate 5m  Find Out About the Latest Case of Threat Actors Utilizing Phishing-as-a-Service to Steal $120,000  Feb 20, 2023 ](/blog/find-out-about-the-latest-case-of-threat-actors-utilizing-phishing-as-a-service-to-steal-120000/)[  Intermediate 5m  GoDaddy Customers Beware: Hackers Have Been Stealing Source Code for Years  Mar 6, 2023 ](/blog/godaddy-customers-beware-hackers-have-been-stealing-source-code-for-years/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"PayPal Credential Stuffing Attack: Data of nearly 35,000 Accounts at Risk","description":"Nearly 35,000 PayPal customers were the victim of a credential stuffing attack where threat actors got access to their personal and financial information.","url":"https://phishprotection.com/blog/paypal-credential-stuffing-attack-data-of-nearly-35000-accounts-at-risk/","datePublished":"2023-01-30T08:22:56.000Z","dateModified":"2026-04-17T16:29:18.000Z","dateCreated":"2023-01-30T08:22:56.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/paypal-credential-stuffing-attack-data-of-nearly-35000-accounts-at-risk/"},"articleSection":"intermediate","keywords":"Cybersecurity, Phishing, Phishing Awareness","wordCount":1238,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/01/zero-day-attack-prevention-2040.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What Data did the Threat Actors Access?","acceptedAnswer":{"@type":"Answer","text":"> \"Zero-day phishing URLs have an average lifespan of just 12 hours before they're added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no ..."}},{"@type":"Question","name":"What is PayPal Doing for Affected Customers?","acceptedAnswer":{"@type":"Answer","text":"PayPal was **prompt** in its approach and, upon discovering the [data breach](/phishing/data-breaches-how-they-impact-small-businesses), leaped into action, beginning its investigation into the cyberattack and **resetting the passwords** of all affected PayPal accounts to prevent threat actor acc..."}},{"@type":"Question","name":"What can Customers do to Protect their Accounts and Information?","acceptedAnswer":{"@type":"Answer","text":"PayPal has taken steps to ensure the accounts are protected. Still, the customers must ensure that they are not breached again, and that threat actors do not leverage the stolen information in [social engineering attacks](/phishing-awareness/social-engineering-attack-twilio-compromises-employee-a..."}}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"PayPal Credential Stuffing Attack: Data of nearly 35,000 Accounts at Risk","item":"https://phishprotection.com/blog/paypal-credential-stuffing-attack-data-of-nearly-35000-accounts-at-risk/"}]}
```