PayPal Fined $2M Over Cybersecurity Breach Exposing Customer Data - 1

Image by Marques Thomas, from Unsplash

PayPal Fined $2M Over Cybersecurity Breach Exposing Customer Data

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

PayPal has been fined $2 million by New York’s Department of Financial Services (DFS) for cybersecurity lapses that resulted in the exposure of customers’ Social Security numbers in late 2022, as first reported by Reuters .

In a Rush? Here are the Quick Facts!

  • Cybercriminals exploited PayPal using “credential stuffing” to access sensitive customer data.
  • PayPal failed to implement multifactor authentication and CAPTCHA during the breach.
  • Company now mandates multifactor authentication and password resets for U.S. accounts

The breach, which lasted approximately seven weeks, left sensitive data including names, birth dates, and Social Security numbers vulnerable to cybercriminals, DFS announced Thursday.

Adrienne Harris, New York’s financial services superintendent, revealed that PayPal lacked qualified personnel to oversee critical cybersecurity operations and failed to provide adequate training to mitigate risks. These shortcomings made it easier for attackers to exploit the system, noted Reuters.

The issue came to light on December 6, 2022, when a security analyst discovered an online message referencing a vulnerability, labeled “PP EXPLOIT TO GET SSN.” The following day, PayPal’s cybersecurity team detected a surge in unauthorized access attempts on its platform, said Reuters.

Investigations revealed that attackers were employing “credential stuffing” techniques to view federal tax forms belonging to tens of thousands of customers, said Reuters.

The breach occurred after PayPal altered data flow configurations to expand access to these forms, inadvertently exposing sensitive information. Harris also criticized PayPal for failing to implement basic security measures such as multifactor authentication and CAPTCHA to deter unauthorized access, as reported by Reuters.

In a statement, Reuters reports that PayPal acknowledged the investigation and reaffirmed its commitment to safeguarding user information. “Protecting consumers’ personal information and maintaining a secure platform is a top priority,” the company said.

Since the breach, PayPal has implemented multifactor authentication for all U.S. customer accounts, mandated password resets for affected users, and added CAPTCHA to enhance security, noted Reuters.

The $2 million fine is tied to violations of New York’s cybersecurity regulation, which was established in 2017 to enhance protections for financial services, reports Reuters.

Trump Signs Executive Order To Develop Crypto Regulations And A National Stockpile - 2

Photo by René DeAnda on Unsplash

Trump Signs Executive Order To Develop Crypto Regulations And A National Stockpile

  • Written by Andrea Miliani Former Tech News Expert
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

President Donald Trump signed an executive order on Thursday to regulate digital assets, creating a working group to develop a crypto framework, explore a national digital asset stockpile, and implement measures to foster the growth of the cryptocurrency industry in the United States.

In a Rush? Here are the Quick Facts!

  • The new executive order signed by President Donald Trump includes multiple measures to ensure the growth of the cryptocurrency industry in the United States.
  • Trump requested the creation of a Working Group to develop a digital assets regulatory framework.
  • The order suggests the creation and maintenance of a national digital asset stockpile using cryptocurrencies taken by the U.S. government during law enforcement duties.

In its recent executive order, Strengthening American Leadership in Digital Financial Technology , Trump ordered the creation of a working group on digital assets, named the “Working Group”, including multiple roles, to come up with regulations, guidelines, and suggestions to create a federal regulatory framework.

WATCH: Donald Trump ordered the creation of a cryptocurrency working group tasked with proposing new digital asset regulations and exploring the creation of a national cryptocurrency stockpile, making good on his promise to overhaul US crypto policy https://t.co/jTK0ttyQHE pic.twitter.com/V7cLY4SpyS — Reuters Tech News (@ReutersTech) January 24, 2025

The Working group—led by David Sacks, a venture capitalist who recently joined the White House administration as AI and Crypto czar —is also expected to consider the “creation and maintenance of a national digital asset stockpile,” suggesting rules, maintenance, and use of the government’s cryptocurrencies taken during law enforcement actions. According to Axios , the U.S. government currently holds around $21 billion in crypto assets.

The order required protection for banking services, prioritized U.S. dollar-backed stablecoins, and banned any Central Bank Digital Currencies (CBDCs) projects in the country. Users

The new measures show a significant twist in Trump’s posture towards cryptocurrency, as he was against the development of the crypto market in the U.S. during his previous period. Since he won the elections, Bitcoin surpassed the 100,000 milestone last month, after Trump named Paul Atkins, an advocate for cryptocurrency adoption, as head of the Securities and Exchange Commission (SEC).