35,000 PayPal accounts breached - is Yours One of Them? (Updated)

[enaph]

Content source

https://www.forbes.com/sites/daveywinder/2023/01/19/thousands-of-paypal-accounts-hacked-is-yours-one-of-them

According to a PayPal notice of security incident dated January 18, attackers got unauthorized access to the accounts of thousands of users between December 6 and 8, 2022. The total number of accounts that were accessed by threat actors using a credential stuffing attack is reported as being 34,942.

Thousands Of PayPal Accounts Breached—Is Yours One Of Them?

It has been confirmed that thousands of PayPal accounts were accessed by credential stuffing attackers between December 6 and 8, 2022.

www.forbes.com

 

[Stopspying]

Thousands Of PayPal Accounts Breached—Is Yours One Of Them?

It has been confirmed that thousands of PayPal accounts were accessed by credential stuffing attackers between December 6 and 8, 2022.

www.forbes.com

I have a paypal account that has been used infrequently lately. I just thought that I'd check the settings and change the password. Passwords are past their sell-by-date really but it annoys me that when you can still use them companies like Paypal restrict the password to a maximum of 20 characters, when the advice generally is that you use longer passwords if you use them.

 

[enaph]

Luckily I have deleted my PayPal account some time ago.

 

[plat]

I use PayPal for Steam purchases. I'm inclined to believe that yes, my acct. was compromised because as soon as I read about this earlier today, I checked if my PayPal password was pwned and it sure was. Luckily (no, wasn't luck but sense) I had MFA on my email acct and 2FA on my PayPal so my bank info and email weren't affected (checked those too). This makes #2, after the AT&T breach.

Even though PayPal was supposed to notify people, I never got the word. Just heard about it second-hand, like everybody else. It's getting so that damage control is increasingly on the consumer, provided he/she gets the word soon enough. Can't trust these corporations to be timely.

Spoiler

My PayPal password

 

[HarborFront]

Just changed my PayPal password to a stronger one

 

[oldschool]

Mine was hardly used, so I initiated account deletion. Checked the 'Reason' box: Data privacy. Sayonara, suckers!

 

[blackice]

Not a hack: “The total number of accounts that were accessed by threat actors using a credential stuffing attack is reportedas being 34,942.”

If you don’t reuse passwords you probably don’t need to bother resetting. If PayPal was actually hacked it would be a much bigger number and a lot more people would have lost money.

 

[Stopspying]

t's getting so that damage control is increasingly on the consumer, provided he/she gets the word soon enough. Can't trust these corporations to be timely

Very true, looking at recent breaches at LastPass, T-Mobile etc there does seem to be a move to putting the onus on users to deal with these incidents, without any direct communication from the companies. I'm surprised at the number of p[eople I've come across who have/had LastPass accounts who had heard nothing about their incidents last year until I asked if they had any LastPass accounts, once I'd realised this its become my No.1 conversation killer!

 

[R2D2]

I updated my PayPal password soon after the LP breach annoucement in the last week of Dec.

My PayPal account is protected with a complex randomly generated password + 2FA but I have not heard back from PayPal about my account being in the list of hacked accounts. Still, it's fingers crossed.

 

[Captain Holly]

I never heard anything from Paypal about my account being involved in the hack, but I still changed my password and turned on 2FA on the account. I have not used Paypal to pay for anything in a very long time, but better safe than sorry. I am reviewing password managers now. Maybe it's time to get with the program and sign up for one. Just not Last Pass.

C.H.

 

[Digmor Crusher]

I also turned on 2FA, haven't used Paypal for years but you never know, eventually I may need it for something again. I also don't have a credit card associated to account, if one day I need to use it I will have to do this first.

 

[enaph]

I am reviewing password managers now. Maybe it's time to get with the program and sign up for one. Just not Last Pass.

C.H.

Sounds like a late New Year's resolution

 

[Captain Holly]

So if I use a password manager whether free or paid, does that stop or at least make it harder for criminals to hack my online accounts? Like my bank or credit card account? Up until this point I have just used passwords that I created myself. I keep them written in an address book.

Also I am seeing a lot of options for free and paid password managers. I think Firefox also includes some free options in their extensions list. Which is the best one? I don't mind paying for one as long as it works well. Right now I am kind of overwhelmed on this.

C.H.

 

[Neno]

So if I use a password manager whether free or paid, does that stop or at least make it harder for criminals to hack my online accounts? Like my bank or credit card account? Up until this point I have just used passwords that I created myself. I keep them written in an address book.

Also I am seeing a lot of options for free and paid password managers. I think Firefox also includes some free options in their extensions list. Which is the best one? I don't mind paying for one as long as it works well. Right now I am kind of overwhelmed on this.

C.H.

Not really... or I should say not enough.
Nowadays the length and complexity of the password is not the only important attribute. MFA (multi-factor authentication) is one of the key points of account security. Nothing even remotely important should be left without it.

 

[Zero Knowledge]

It's getting so that damage control is increasingly on the consumer, provided he/she gets the word soon enough. Can't trust these corporations to be timely.

Could you ever trust corporations in the first place ? I really truly honestly 100% doubt it! When a breach or hack happens, you can slowly see when it transitions from the companies PR/HR managing the event to when the lawyer's step in and start writing the press releases and managing the incident.

 

[HarborFront]

So if I use a password manager whether free or paid, does that stop or at least make it harder for criminals to hack my online accounts? Like my bank or credit card account? Up until this point I have just used passwords that I created myself. I keep them written in an address book.

Also I am seeing a lot of options for free and paid password managers. I think Firefox also includes some free options in their extensions list. Which is the best one? I don't mind paying for one as long as it works well. Right now I am kind of overwhelmed on this.

C.H.

Have you tried using free virtual credit cards from

Virtual Cards That Protect Your Payments | Online Payment Security

Protect your payment security. Shield your financial information and protect against credit and debit card fraud with secure, randomly-generated virtual card numbers.

privacy.com

 

[Captain Holly]

Have you tried using free virtual credit cards from

Virtual Cards That Protect Your Payments | Online Payment Security

Protect your payment security. Shield your financial information and protect against credit and debit card fraud with secure, randomly-generated virtual card numbers.

privacy.com

Thanks, the virtual credit cards looks interesting. I only use two cards regularly each month, one is my Verizon Visa card that I have set up for auto payment on my cell phone bill. I have to use that card with auto pay to get a $20.00 discount on the bill. So I don't know if a virtual card will work there. I have my internet on auto pay on another credit card, I could do a virtual card there. Sometimes my wife and I will use a grocery delivery service, virtual card would work there too. I will look into it.

I am still reading up on password managers. I have a lot to learn before I go that route but will enable 2FA on everything I can. Better safe than sorry. Thanks for the info on this.

C.H.

 

[Captain Holly]

I tried out Bitwarden. It is entirely too complicated. I read that Bitwarden may also have privacy issues of its own. I think I will just keep using my address book password manager method. I also keep some ID's and passwords on a flash drive with the LibreOffice spreadsheet I use to track my financial stuff and bill payments each month. Those are the accounts that I want to be sure are secure. I will go into each site for bills, credit cards, anything else that is sensitive info and make sure the 2FA is updated but I think I can do fine without a password manager.

C.H.

 

[Digmor Crusher]

As far as PW mangers go you have these options.
Free-Paid
Local Storage-Cloud Storage
Open sourced-closed source

They will not make your chances of getting hacked easier or harder, basically you can use them to create passwords for you that would be harder to hack. But any site/company can be hacked so if you have a better password the safer you will be, (in theory). I use one because its easier to remember, access, use passwords on any site, not for security reasons. You want security, pen and paper.

 

[Digmor Crusher]

I tried out Bitwarden. It is entirely too complicated. I read that Bitwarden may also have privacy issues of its own. I think I will just keep using my address book password manager method. I also keep some ID's and passwords on a flash drive with the LibreOffice spreadsheet I use to track my financial stuff and bill payments each month. Those are the accounts that I want to be sure are secure. I will go into each site for bills, credit cards, anything else that is sensitive info and make sure the 2FA is updated but I think I can do fine without a password manager.

C.H.

I use Bitwarden, first day or two I thought the same, but once you figure out how it works its so easy. Basically you log in, go to a site, click on that site in BW and it logs you in. Give it a chance and figure it out, you will love it.