PayPal was hit by a massive data breach, exposing personal data of 35k users. Hackers used credential stuffing attacks to gain access.

Continue reading
PayPal, one of the world's leading electronic payment platforms, has recently fallen victim to a credential-stuffing attack that exposed the personal data of nearly 35,000 users. This type of cyber attack is becoming increasingly prevalent and poses a significant threat to online security.
Credential stuffing is a form of automated cyberattack where hackers use bots to systematically test a list of username and password pairs on various online platforms and services. The attack aims to gain access to accounts by exploiting the common practice of users reusing the same password across multiple accounts.
The attack on PayPal occurred between December 6th and 8th, 2022, and was initially detected and mitigated by the company's security team. However, an internal investigation was conducted to determine how the hackers could gain access to the accounts. The investigation revealed that unauthorized third parties could log into the accounts using valid credentials, but there is no evidence that the user credentials were obtained directly from PayPal.
Here’s a rigorously updated, fact-checked version that keeps your original intent and CTA intact, while tightening accuracy and adding timely context.
PayPal disclosed that 34,942 customer accounts were accessed in a credential-stuffing campaign. Attackers used valid email/password pairs—likely reused from breaches elsewhere—to log in between December 6–8, 2022. PayPal’s investigation found no evidence the credentials were taken from PayPal systems, and no evidence of unauthorized transactions on impacted accounts.
For affected users, exposed personally identifiable information (PII) could include name, address, date of birth, phone number, Social Security number, and/or Individual Taxpayer Identification Number (ITIN). (Card and transaction details are accessible inside logged-in accounts, though PayPal did not report evidence of misuse.)
PayPal reset passwords, masked sensitive data, implemented additional controls, and offered 24 months of Equifax identity monitoring to affected users. The company reported no unauthorized transactions tied to the incident and reiterated there was no evidence credentials were obtained from PayPal.
In January 2025, New York’s Department of Financial Services announced a \$2 million penalty related to cybersecurity control failures tied to the late-2022 exposure of customer SSNs; see the DFS press release and consent order for specifics.
Don’t be the next target like PayPal. Credential-stuffing attacks abuse reused passwords to take over accounts—often without breaching your systems directly. In PayPal’s 2022 incident, attackers logged in using valid credentials reused from elsewhere, exposing sensitive PII for \~35K users despite no evidence of transactions or a PayPal data exfiltration. Strengthening authentication, monitoring for leaked credentials, and adding bot-mitigations are critical first lines of defense.
Try Threatspy—an automated application security management platform that helps you:
Book a free demo of Threatspy now to reduce both the root causes (injection-driven data leaks) and the downstream abuse (credential stuffing/ATO) across your web apps.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been