PayPal discloses data breach that exposed user info for 6 months(www.bleepingcomputer.com)

114 pointsby el_duderino4 hours ago11 comments

elphinstonean hour ago
I recently tried to sign up for paypal, "tried" being the operative word since their garbage, broken processes couldn't verify me despite bank info, etc.
After seeing their profound incompetence at customer acquisition, ineptitude on the security front is no surprise.
Insanity3 hours ago
So from the Article they claim:
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."
That does little to explain the 2 month-ish delay in disclosing it. I presume they could have disclosed _at least_ that account data was leaked even if the underlying bug wasn’t yet closed?
Obviously without disclosing the nature of the bug in that case.
- malfist3 hours ago
  It's one of those "suspiciously specific denials"
  They didn't delay the release because of law enforcement investigation, it doesn't say they didn't delay the release. There's a whole host of reasons besides "law enforcement investigation" to delay an embarrassing release, including "I don't wanna"
  - sidewndr462 hours ago
    The quote is: "We have not delayed this notification as a result of any law enforcement investigation"
    The obvious example here would be if the NSA or other agency that isn't law enforcement led the investigation.
    But further abuse of the English language reveals a different conclusion. This was not delayed as a result of any law enforcement investigation. It could have been delayed as a result of a specific law enforcement investigation. Furthermore, the word "result" implies that it is tied to the conclusion of said investigation(s). It could in fact have been delayed because of a pending law enforcement investigation.
- motbus326 minutes ago
  Just before Christmas? I doubt it
jimnotgyman hour ago
Great, who from PayPal is going to jail over this?
- zer00eyz28 minutes ago
  Wow!
  Lets take the article at face value: "The financial technology company said it has reversed the code change that caused the incident, blocking attackers' access to the data one day after discovering the breach."
  Great thats your bug. Key word here being BUG. Your name next to the commit that caused this.
  Should you go to prison? Probably not.
  Tell me you never had a bug, a security hole, never took production down. Never made a mistake. Tell me that you want to go to jail for human error. Not intent, error.
- bloomingeekan hour ago
  I've been thinking this way for several years now, what a fool I was! Corporations are the elite of society now. They can't fail, they pay off everyone of any importance, i.e., not you or I. The dog and pony show in congress involving FB is further proof they can do no wrong as long as they explain the law to the dolts in congress. (While being watched by SCOTUS, who are laughing their asses off.)
  The rule of the corporate thumbs for several decades now is: it's more profitable to pay a fine then follow the law. (And if congress isn't keeping up with current tech which needs new laws to protect consumers, who cares?)
  - chrneuan hour ago
    They're people but also not people!
    Lol what an amazing con the oligarchs managed to pull. They get to reap all the rewards of their parasitic selfish behavior with basically none of the risk. Just make a corp.
TitaRusellan hour ago
Hopefully WERO will finally wipe out PayPal in Europe. Despite the ridiculous name.
- sevenzeroan hour ago
  Didn't see a single store i regularly buy from offer it yet unfortunately
cmehdy2 hours ago
> The company now offers affected users two years of free three-bureau credit monitoring and identity restoration services through Equifax, which require enrollment by June 30, 2026.
How tasteful.
- SilverElfin2 hours ago
  I think all companies just believe security doesn’t matter because the worst thing that can happen is they offer to pay for a credit monitoring. And the victims are powerless to pursue a meaningful lawsuit against them. Even when that happens, it results in a class action settlement where lawyers get a bunch of money and victims get very little.
lurkercodemnky24 minutes ago
The ignorance of a company like PayPal is obviously bad.
That said, I think we need to have an equivalent of automated integration testing for security vulnerabilities.
Even if PenTesters (or whatever they're called these days) do some testing and uncover some bugs, the applications under continuous development will inevitably introduce "bugs" not seen before.
dheera17 minutes ago
These kind of breaches are why I'm against KYC's current implementation.
If the government wants to know who I am, that's fine, I'm not here to fight law. I however don't think it should be necessary to tell banks and private businesses where I physically sleep. That is more information than they need to operate, and every few months it seems someone has a data breach.
anonymous9082132 hours ago
Irrelevant to the current breach, but at the end of the article...
> In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.
> Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.
I didn't hear about this New York case. I'm the first to lament the incredibly sorry state of affairs of data security, to the extent that such security exists at all, but it is insane that you can get fined $2,000,000 for your customers re-using e-mail + password combinations between sites and becoming compromised as a result. I truly loathe mandatory 2FA with every fiber of my being and I guess New York would like to enforce it on the world? Sigh. Everything about the internet just gets worse and worse, continuously.
- chrneuan hour ago
  I got like $230 from that paypal breach. Pretty rad.
- thunderfork19 minutes ago
  You don't have to do 2FA, but there's liability in being vulnerable to credential-stuffing, and 2FA is one of many ways to mitigate that.
josefritzishere2 hours ago
There should be legal penalties for failing to inform users in a timely fashion. A 6 month delay is ridiculous. They put all their users at risk.
oxqbldpxoan hour ago
Imagine when Palantir gets hacked.
- rickknowlton40 minutes ago
  in a way the data can't really get into worse hands than palantir, can it? lol jk
flipped2 hours ago
This is the reason you should be using Monero. The benefits are extremely fruitful for everyone. Private, untraceable, full control over your funds, no breach possible.
- _verandaguy2 hours ago
  These are often undesirable features for SMEs that need to be accountable for a variety of reasons, including KYC regulations; besides, while blockchains provide protocol-level security, they fail in two ways that do matter to consumers:
  - They provide no meaningful consumer protections (since this necessarily requires an authority, which blockchains may not have)
  - They don't protect at all against meatspace vulnerabilities like scams and other deception-based attacks, which are by far the more common issue in banking. This is exacerbated by the lack of consumer protections.
  (To be clear: don't read my comment as being in support of PayPal. They have abused user trust for a while, and I haven't had an account there in over a year -- fuck 'em.)
- pennomi2 hours ago
  What percentage of businesses actually accept monero?
- draygoniaan hour ago
  Aside from it being an unstable store of value, but that's a problem with all cryptos (and stablecoins, when they collapse).