PayPal alerts 35,000 users about potential data breach due to credential stuffing cyberattack

PayPal and Uber Data Breaches: What You Need to Know

In a series of recent data breaches, both PayPal and Uber have been affected. Here's a breakdown of what happened, what information was compromised, and how the companies are responding.

PayPal Data Breach

On December 20, 2022, PayPal reported a data breach that affected nearly 35,000 accounts. The breach occurred between December 6 and December 8, 2022, and it's important to note that no financial information was accessed during this incident.

The breach affected personal information such as names, addresses, social security numbers, tax identification numbers, and dates of birth. PayPal has sent notices to impacted customers about the security incident, and affected customers received a notice and had their passwords proactively reset. Enhanced security controls have been implemented for affected accounts, requiring users to establish a new password next time they log in.

PayPal ended the third quarter of 2022 with 432 million active accounts, and the company spokesperson apologised for any inconvenience caused by the incident. The PayPal payment systems were not impacted by the data breach.

Uber Data Breach

In a similar incident, Uber experienced a credential stuffing attack between December 6 and December 8, 2022, affecting nearly 35,000 customer accounts. Credential stuffing is a persistent threat that exploits valid credentials stolen during a breach or purchased on the dark web.

Uber responded by resetting passwords for affected users and enhancing security measures such as implementing multi-factor authentication. The FBI issued a warning about this threat in August 2022, and cybercriminals are using proxies and configurations to mask and automate credential stuffing attacks targeting U.S. businesses.

Understanding the Risk Calculus

Corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks, particularly the question of whether they are a target. As these incidents demonstrate, no company is immune to cyber threats, and it's essential to have robust security measures in place to protect customer data.

It's worth noting that both the PayPal and Uber breaches did not involve the companies' systems; the login credentials were likely obtained elsewhere. This underscores the importance of using strong, unique passwords and enabling multi-factor authentication wherever possible.

In conclusion, while these data breaches are concerning, both PayPal and Uber have responded swiftly and effectively. By implementing enhanced security measures and notifying affected customers, they are taking steps to protect their users and mitigate the impact of the breaches. As a user, it's important to stay vigilant and take steps to protect your personal information online.