PayPal Security Advisory: Credential Stuffing and Sophisticated Phishing Targeting Users

PayPal has issued a series of security alerts following a wave of "unconventional" cyberattacks designed to compromise user accounts and exfiltrate sensitive financial data. The payments giant has confirmed that a significant credential stuffing campaign, alongside sophisticated phishing operations, has resulted in the exposure of personal information for thousands of users, including Social Security Numbers (SSNs) and tax identification data.

Credential Stuffing and the Six-Month Window

The most severe breach involved a massive credential stuffing attack—a technique where hackers use automated tools to test lists of usernames and passwords leaked from other platforms. According to reports from TechRadar Pro and The Record, hackers successfully gained access to nearly 35,000 accounts during a concentrated period.

Critically, investigations revealed that some unauthorized access may have gone undetected for up to six months. During this window, attackers were able to view full names, dates of birth, mailing addresses, and, in many cases, Social Security Numbers. CNET reports that the breach was not the result of a compromise of PayPal’s internal systems directly, but rather a failure of "password hygiene" among users who reused credentials across multiple sites.

The "Invoicing" Phishing Trend

Beyond automated login attempts, threat actors are increasingly using "legitimate" PayPal infrastructure to conduct fraud. Forbes and Dark Reading have highlighted a trend where attackers create professional-looking invoices or "money requests" within the PayPal platform itself.

Because these notifications come from service@paypal.com, they bypass traditional email spam filters. The invoices often claim that the user’s account has been compromised or that a high-value purchase (such as a laptop or cryptocurrency) is pending, prompting the victim to call a "support" number. Once on the phone, the attackers use social engineering to trick the user into providing remote access to their computer or sharing their Two-Factor Authentication (2FA) codes.

PayPal’s Response and Remediation

In a statement to the CISO Economic Times, PayPal confirmed it has reset the passwords of affected users and enhanced its internal monitoring for suspicious login patterns. The company is offering two years of free identity monitoring services through Equifax to those whose SSNs were exposed.

Primary Intel & Reports: Forbes, The Record, TechRadar Pro, Dark Reading, Cybersecurity Dive

The CyberSignal Analysis

The ongoing targeting of PayPal reflects a broader shift in FinTech Security, where attackers are moving from "cracking" the platform to "gaming" the platform’s trust.

• The Weakness of 2FA SMS: Many compromised accounts were protected by SMS-based two-factor authentication. Attackers are increasingly using SIM Swapping or social engineering to intercept these codes. For B2B leaders and high-net-worth individuals, this incident underscores the necessity of moving toward hardware security keys (like YubiKeys) or app-based authenticators.
• Abuse of Platform Legitimacy: The use of actual PayPal invoices to deliver phishing lures is a masterclass in Social Engineering. It exploits the "Imprimatur of Legitimacy"—users trust the platform, so they trust the notification. This bypasses the "Check the Sender Address" rule that most security training relies on.
• Operational Takeaway: Organizations should implement Credential Screening services. By cross-referencing employee passwords against known dark-web leaks, IT teams can proactively force password resets before a credential stuffing attack occurs. Furthermore, internal training must now include "In-Platform Phishing" awareness, teaching users that even a "legitimate" notification can be a fraudulent request.