PayPal's December 2022 breach exposed 35,000 accounts—here's how they responded
PayPal faced a major security breach in early December 2022, with nearly 35,000 user accounts compromised by credential-stuffing attacks. The company responded swiftly by resetting passwords and rolling out stronger security measures to prevent further incidents.
The attack targeted around 17,000 accounts initially, but further investigation revealed a total of nearly 35,000 users affected. While sensitive details like Social Security numbers, birth dates, and addresses were exposed, PayPal confirmed no evidence of misuse or unauthorised transactions.
To strengthen defences, the company enforced password resets and introduced stricter rate-limiting controls. Enhanced multi-factor authentication (MFA) and improved detection systems for suspicious login attempts were also implemented. Additionally, PayPal partnered with Equifax to offer affected users two years of free identity monitoring.
Security experts have since recommended adopting zero-trust frameworks, using password managers, and enabling 2FA across all online accounts. PayPal itself urged customers to create unique, complex passwords and activate two-factor authentication to reduce future risks.
Despite the breach, no financial losses were reported, and PayPal's security upgrades aim to block similar attacks. Users impacted by the incident now have access to identity protection services, while broader cybersecurity advice encourages stronger password practices and automated security tools.
