1. Website Planet
  2. >
  3. News
  4. >
  5. New York State Fines PayPal $2 Million Over 2022 Data Breach
New York State Fines PayPal $2 Million Over 2022 Data Breach

New York State Fines PayPal $2 Million Over 2022 Data Breach

Andrés Gánem Written by: Andrés Gánem
Sarah Frazier Reviewed by: Sarah Frazier
Last updated: 07 February 2025
The Department of Financial Services (DFS) for the state of New York (US) announced that it will fine PayPal $2 million USD over a 2022 data breach that exposed the personally identifiable information (PII) of tens of thousands of customers, following a years-long investigation.

The original breach occurred in December 2022, when PayPal implemented site-wide changes to make a tax form accessible to a broader base. According to a consent order, between December 6 and December 8, 2022, a PayPal security analyst then discovered an online message that read “PP EXPLOIT TO GET SSN,” and included instructions to view PayPal customers’ social security numbers (SSNs).

The breach was a result of credential stuffing, an attack where bad actors input (or “stuff”) a large number of credentials taken elsewhere until one of them works. The success of these kinds of attacks depends on users using the same passwords across multiple devices or services, and on the lack of further authentication features by the services.

Hackers depend on third-party datasets containing leaked passwords for these kinds of attacks, such as the leak of nearly 10 billion passwords in 2024, which experts have called the “biggest password leak ever.”

Though PayPal took corrective actions almost immediately after the December 2022 attack, the PII of 34,942 accounts had already been compromised. Besides SSNs, the leaked information also included full names, dates of birth, and other account information.

New York’s DFS quickly launched an investigation into PayPal’s cybersecurity practices, eventually concluding that “PayPal failed to use qualified personnel to manage key cybersecurity functions and failed to provide adequate training to address cybersecurity risks. These failures led to sensitive customer information, including social security numbers (SSNs), being left unredacted and easily accessible to cybercriminals,” as written in a press release.

The company cooperated with the DFS probe. “Protecting consumers’ personal information and maintaining a secure platform is a top priority for us and we take our regulatory responsibilities seriously,” wrote PayPal in a statement.

PayPal now requires multi-factor authentication for all US account logins, according to the consent order.

Andrés Gánem
Andrés Gánem
Andrés writes about a variety of topics aimed at helping business owners and merchants grow and manage their ventures. These topics include (but are not limited to) website building, web hosting, project management software, and credit card processing. Andrés has 3+ years of experience as a writer and content creator. He’s also worked as a project manager, website designer, and social media manager for a variety of science communication groups.

Follow our experts on
Rate this Article
4.5 Voted by 2 users
You already voted! Undo
This field is required Maximal length of comment is equal 80000 chars Minimal length of comment is equal 10 chars
Any comments?
Reply
View %s replies
View %s reply
More news
Show more
Reply to
0 out of minimum 50 characters
Complete your reply Complete your comment
The name is too short The name is too long The name contains invalid characters
The email is required The email is incorrect
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Popup final window
Share this blog post with friends and co-workers right now:
1 1 1
Thank you, , your comment was submitted successfully!

We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.

Thank you for signing up!

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

1 1 1

So happy you liked it!

Share it with your friends!

1 < 1 1

Or review us on 1

3562248
50
5000
114313796