Cyber Crime
PayPal Confesses to Credential Stuffing Attack, Breach of 35,000 Accounts
New York State has reached a Rs 16.4 crore settlement with PayPal following allegations that the company failed to adhere to the state’s stringent cybersecurity regulations, which contributed to a data breach in 2022.
The New York Department of Financial Services (DFS) revealed that cybercriminals exploited vulnerabilities in PayPal’s security infrastructure through credential stuffing attacks, compromising sensitive customer information.
PayPal disclosed in early 2023 that the breach occurred between December 6 and December 8, 2022, impacting approximately 35,000 accounts. Exposed data included full names, dates of birth, postal addresses, Social Security numbers, and individual tax identification numbers.
The DFS investigation highlighted a critical security misstep related to the handling of IRS Form 1099-K tax documents. According to DFS, PayPal’s teams, tasked with modifying data flows to expand access to the forms, were inadequately trained on the company’s systems and application development processes. This lack of preparation led to improper procedures being followed during the changes, resulting in sensitive customer data being exposed.
Registrations Open for FutureCrime Summit 2025: India’s Largest Conference on Technology-Driven Crime
The credential stuffing attacks were further enabled by the absence of mandatory multi-factor authentication (MFA) and inadequate access controls, such as missing CAPTCHA protections and rate-limiting measures to prevent automated login attempts. These shortcomings violated several provisions of New York’s Cybersecurity Regulation, including sections 23 NYCRR § 500.3, 500.10, and 500.12, which require robust cybersecurity policies, personnel training, and effective authentication controls.
Although PayPal took corrective actions after the breach, including masking sensitive data on IRS forms, implementing CAPTCHA and rate limiting, and making MFA mandatory for all U.S. accounts, DFS stated that these measures came too late to prevent the attack.
Under the terms of the settlement, PayPal is required to pay the $2 million fine within 10 days. While no further action will be taken at this time, DFS noted that it reserves the right to pursue additional penalties if new violations are uncovered.
This case underscores the importance of proactive cybersecurity measures and compliance with regulatory standards to safeguard sensitive customer information.
