The California Office of the Attorney General disclosed a data breach affecting PayPal between **December 6–8, 2022**, where unauthorized actors gained access to customer accounts using compromised login credentials. The incident exposed sensitive personal information, including **names, addresses, Social Security numbers, and dates of birth**. While no evidence of misuse has been reported, the breach posed a significant risk due to the nature of the exposed data—particularly financial and identity-related details. The attack targeted customer accounts directly, raising concerns over potential fraud, identity theft, or phishing exploits leveraging the stolen data. PayPal likely faced reputational damage and regulatory scrutiny, though the absence of confirmed misuse slightly mitigated immediate financial harm. The breach underscored vulnerabilities in credential security and the broader risks of unauthorized access in digital payment platforms.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-561929
TPRM report: https://www.rankiteo.com/company/paypal
"id": "pay253091725",
"linkid": "paypal",
"type": "Breach",
"date": "12/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Fintech / Digital Payments',
'location': 'California, USA',
'name': 'PayPal, Inc.',
'type': 'Financial Services'}],
'attack_vector': 'Credential Stuffing / Account Takeover',
'data_breach': {'data_exfiltration': 'Potential (unauthorized access '
'confirmed)',
'personally_identifiable_information': ['names',
'addresses',
'Social Security '
'numbers',
'dates of birth'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2022-12-08',
'date_publicly_disclosed': '2023-01-18',
'description': 'The California Office of the Attorney General reported a data '
'breach involving PayPal, Inc. on January 18, 2023. The breach '
'occurred between December 6, 2022, and December 8, 2022, with '
'unauthorized access to customer accounts using login '
'credentials, potentially exposing personal information such '
'as names, addresses, Social Security numbers, and dates of '
'birth; however, no misuse of the information has been '
'reported.',
'impact': {'brand_reputation_impact': 'Potential (no misuse reported)',
'data_compromised': ['names',
'addresses',
'Social Security numbers',
'dates of birth'],
'identity_theft_risk': 'High (PII exposed)'},
'initial_access_broker': {'entry_point': 'Compromised login credentials'},
'investigation_status': 'Disclosed (no further updates)',
'post_incident_analysis': {'root_causes': ['Credential reuse / weak '
'authentication']},
'references': [{'date_accessed': '2023-01-18',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['California Consumer '
'Privacy Act (CCPA)'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public disclosure via California AG '
'(January 18, 2023)'},
'title': 'PayPal Data Breach (December 2022)',
'type': 'Data Breach (Unauthorized Access)'}