Everything we know so far about the PayPal data breach

While few PayPal customers saw their data exposed, some did experience unauthorized activity on their accounts

Emma Woollacott's avatar
By
published
in News
PayPal logo and branding pictured on a smartphone screen with company coloring in the background.
(Image credit: Getty Images)

PayPal has issued an alert after a data breach saw customers exposed for several months.

According to a notification seen by BleepingComputer and sent to affected customers on February 10, the breach was caused by an error in the firm's PayPal Working Capital (PPWC) loan application.

This saw personal data belonging to a "small number" of customers exposed to unauthorized individuals between July 1 and December 13 last year. Data exposed in the incident is believed to have included business contact information.

Some customers did have unauthorized activity on their accounts as a result, although PayPal said it's refunded those people.

"Our investigation determined that some of your personal information was affected by this incident," the letter read.

"This could have included your business contact info: name, email address, phone number, business address combined with your Social Security number, and date of birth."

The company said it has launched an investigation into the incident and terminated the unauthorized access to PayPal’s systems - rolling back the code changes that caused the breach in the first place.

Affected PayPal accounts have also had passwords reset, requiring customers to create new login details. The payments giant also confirmed it has implemented enhanced security controls.

Free credit monitoring services will be offered to affected customers through Equifax, and customers are being told to be on the alert for any suspicious activity or fraudulent transactions.

PayPal data breach could have downstream impact

While PayPal has implemented changes in the wake of the breach, Kevin Knight, CEO of Talion, warned the incident could have downstream implications for customers, particularly given contact information was exposed.

PayPal has said it has refunded customers for the fraudulent transactions and updated the passwords on impacted accounts, but the attacker still has access to information that can’t be easily changed, which can still be of value to them in phishing scams and to sell to initial access brokers,” he said.

Phishing scams are a common occurrence in the wake of data breaches, with threat actors using exposed contact details such as email addresses to target victims.

Notably, Knight said the timing of the letter is also concerning, with the incident having first occurred months before and the fact it was discovered in December.

"What is most concerning about this breach is that an organization as large and reputable as PayPal, which holds highly sensitive data on its customers, has waited two months to notify individuals about this incident," said Knight.

"While credit monitoring has been offered, victims were left in the dark, while the actor behind the incident was able to access their financial and personal data and conduct fraudulent transactions."

In its customer notification, PayPal insisted it had not delayed the notification "as a result of any law enforcement investigation," it reads.

ITPro has approached PayPal for comment.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

TOPICS
Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸