PayPal has disclosed a data breach that involved the theft of information from 35,000 customers in a credential-stuffing attack.
PayPal said in the fulling the breach occurred between Dec. 6 and Dec. 8 and was detected on Dec. 20. Details believed to have been accessed include names, addresses, Social Security numbers, tax identification numbers, and dates of birth.
PayPal reset the passwords of all affected accounts and implemented enhanced security controls. Affected users are also being offered two years of free identity monitoring services from Equifax.
Although many PayPal accounts were affected, the attack was not the result of PayPal’s lack of security. Instead, it’s the result of PayPal users reusing the same password on PayPal and other websites.
Modern MFA technologies cost almost nothing to implement and should be enabled by default by financial service providers as a foundational security. High-profile breaches must serve as a wake-up call for organizations large and small to implement a zero-trust architecture, enable MFA, and use strong and unique passwords.