In January 2023, PayPal users woke up to alarming news as the company revealed a massive data breach, impacting tens of thousands of accounts. The breach exposed sensitive information and revealed that even industry giants like PayPal are not immune to the threat of cybercrime.

In this article, we delve into the details of the PayPal data breach, analyze its causes and consequences, and what we can do to protect ourselves in an increasingly dangerous online environment.

PayPal Breach in 2022

On January 18th, 2023, PayPal started notifying approximately 35,000 users about a data breach that occurred between December 6th and 8th, 2022. According to PayPal's investigation, which concluded on December 20th, the breach involved unauthorized access to user accounts using valid credentials.

PayPal maintains that the breach did not originate from any vulnerabilities in their systems and found no evidence that hackers obtained user credentials directly from them.

How Did the PayPal Hack Happen?

Hackers utilized credential-stuffing attacks to access user accounts. In this type of cyber-attack, malicious agents employ bots to try out combinations of usernames and passwords obtained from data leaks on various websites, including the dark web.

The attackers "stuff" these credentials into login portals, taking advantage of users who reuse the same password for multiple online accounts, a practice commonly known as "password recycling."

How was PayPal hacked

What Is the Aftermath of the PayPal Hack?

Over two days, hackers could access transaction histories, connected credit or debit card details, PayPal invoicing data, and account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.

To mitigate the breach, PayPal promptly restricted the intruders' access to the platform and reset passwords for the affected accounts. Notably, the notification assured users that the attackers either did not attempt or were unsuccessful in carrying out any transactions from the breached accounts.

Lawsuit Alleges PayPal's Negligence in Data Breach

Plaintiffs Ashley Pillard and Destiny Rucker have filed a proposed class action lawsuit claiming that PayPal's negligence was responsible for the December 2022 incident. The complaint alleges that PayPal failed to implement adequate security measures and adhere to industry data protection standards and guidelines established by the Federal Trade Commission.

According to the plaintiffs, they incurred substantial expenses for credit monitoring and associated services because of PayPal's alleged negligence. They also became highly vulnerable to fraud and identity theft and were forced to spend time dealing with the effects of the breach. The plaintiffs are seeking monetary damages, as well as equitable relief, including lifetime credit monitoring and identity theft insurance.

Average cost of a data breach in USA.

Read my article on the average cost of a data breach to understand why it keeps rising and learn practical solutions to this issue.

Are Users Still Affected and How Can They Protect Their Data?

PayPal claims that the attackers could not perform any transactions from the breached accounts. Additionally, they initiated a password reset, prompting the affected users to create a new password during their next login session.

Because of PayPal's swift and decisive reaction, it is reasonable to conclude that most of the potential harm stemming from the breach has been mitigated. However, the specific impact may vary depending on the circumstances and actions taken by the hackers.

Nonetheless, PayPal strongly advises recipients of the notices to proactively change the passwords for their other online accounts, using a strong password of at least 12 characters, including a mix of alphanumeric characters and symbols. Additionally, PayPal encourages users to activate two-factor authentication, which prevents unauthorized access, even if hackers possess valid usernames and passwords.

Stay one step ahead of evolving threats and protect your business with our article on cybersecurity best practices.


The PayPal breach is a stark reminder of the ever-present threat of crime in the digital landscape. Moving forward, companies should learn from this example, implement account lockout systems, and monitor for stolen credentials to thwart future attacks.

It is worth noting that PayPal showed admirable transparency and poise in its reaction. They provided clear information to affected individuals and swiftly prevented further damage – crucial steps for rebuilding trust.

The breach should also serve as a reminder to all to take proactive measures to enhance their online security by using strong, non-recycled passwords and enabling two-factor authentication where possible.