PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

PayPal: 35,000 Users Had Social Security, Tax Info Exposed to Hackers

The hackers accessed the information by successfully guessing the passwords to the affected users through a 'credential stuffing' attack.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Nearly 35,000 PayPal users had their personal information, including Social Security and tax identification numbers, exposed to hackers, according to the company.

PayPal is sending data breach notices to thousands of users, according to BleepingComputer, which was first to report the news. On Wednesday, PayPal also notified Maine’s attorney general about the incident, saying it affected 34,942 users. 

The hackers accessed the user information not by breaching PayPal’s internal systems, but by successfully guessing login passwords. Specifically, the hackers resorted to a “credential stuffing” attack, which involves automatically injecting login credentials uncovered in past data breaches. 

The login attempts occurred last month between Dec. 6-8, before PayPal began eliminating the hackers’ access. Fortunately, the attackers refrained from making any fraudulent transactions over the affected accounts. Nevertheless, the culprits were able to access sensitive personal information from thousands of users, which could be exploited to conduct identity theft schemes and other scams.  

“The personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth,” PayPal wrote in the data breach notice it’s been sending to affected consumers.  

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

In a statement to PCMag, PayPal downplayed the incident, saying only a “small number of PayPal customer accounts” had been affected. 

“PayPal’s payment systems were not impacted, and no financial information was accessed,” a company spokesperson said. “We have contacted affected customers directly to provide guidance on this matter to help them further protect their information. The security and privacy of our customers’ account information remains a top priority for PayPal, and we sincerely apologize for any inconvenience this may have caused.”

In its data breach notice, PayPal further noted: “We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.” In addition, the company has reset passwords on the affected PayPal accounts. 

Still, victims should be on guard. For example, the hackers could use the exposed personal information to open credit cards or file a tax return with the goal of stealing the user's refund from the IRS. In response, PayPal plans on offering affected victims two years of free identity monitoring services.

The incident is also a reminder to use unique, hard-to-guess passwords on your most important login accounts. You should also activate the account’s two-factor authentication, which can make it harder for hackers to break in even if they successfully obtained your password. 

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio