PayPal has informed its customers that a number of accounts were compromised at the end of December. The company promptly reset all affected users' passwords and said it found no indication of a system breach.
It's easy to imagine why PayPal accounts are such valuable targets for criminals, given that they deal with currency transfers and direct payments, not to mention integration with other banking systems.
PayPal has revealed in a report that third parties have accessed and viewed information on a number of users. While the number of impacted customers wasn't revealed in the initial report, according to SecurityWeek, PayPal informed the Maine Attorney General that 34,942 people were affected.
The company explained that its systems were intact and that attackers likely obtained the credentials via other means, like phishing. A roughly estimated 20% of people reuse the same credentials on multiple online accounts, so it's also possible that the login information used to access PayPal accounts comes from a data breach with no relation to PayPal itself.
"Based on PayPal's investigation to date, we believe that this unauthorized activity occurred between December 6, 2022, and December 8, 2022, when we eliminated access for unauthorized third parties," the company explained. "During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users."
"We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account. There is also no evidence that your login credentials were obtained from any PayPal systems," the company added.
The passwords of all affected users have been reset, which means they have to set up new ones. Let's hope they'll create a unique password not used for any other online service. Also, setting up two-factor authentication should be the mandatory second step.