PayPal got hacked, be careful

TL;DR: PayPal got hacked likely because I hadn’t been diligent in updating passwords. Had I not seen the hack right away, I likely would’ve lost my money forever. After the PayPal DC nerf that’s scheduled, I don’t plan to use the PayPal debit card anymore due to the risk. Stay safe out there.

So as I’ve been using the PayPal debit card for groceries for the last year, I decided to put about $1000 in cash into my savings for my card to draw on when funds got low.

On Sunday I got a notification that somebody I didn’t know sent me a cent. Thinking it was either tied to a scam or someone making sure they were sending money to the right account I completely ignored it.

5 minutes later and I get a notification that a login just happened into my PayPal and I immediately check it out as I had not logged in on anew device. The login came from out of state.

I acted immediately trying to change my password and remove new logins from the web browser. Simultaneously I was calling PayPal support, something’s I learned here:

1. If your two factor authentication is your email or and old phone number, they can exploit that and get around it. Use Google Authenticator.

2. The app is worthless for security, if you get cent a penny or see unauthorized login. Go straight to a computer browser.

3. PayPal has very lax security once someone is in, they can change the linked email, home address, and phone number within the profile and effectively lock you out very quickly without verification to any of your old contact info.

4. Calling PayPal support when someone is actively trying to lock you out of your account is hell. You’re met by a bot, and you really just need to say “speak to a representative” immediately or you’ll get run around on account details.

Luckily: with me and customer support working in conjunction— we locked the guy out without him taking funds. Everytime he would change an email, I changed it back, phone, address, etc — until PayPal was able to lock him out.

I checked the email associated with my PayPal in a data breach website, and it had been leaked. Change your passwords frequently, I have always been told that been never thought it would happen to me.

I then changed all passwords to my emails, especially those tied to any financial institutions and changed the passwords to my financial institutions themselves. I made sure 2FA was enabled, and all contact info/ security questions were in place. And for good reason. The next day I got a failed login attempt to my primary bank, and luckily since I changed everything they couldn’t get in.

Conclusion: I took my money out of PayPal and cancelled my card connected to it. In looking up other instances of this happening in Reddit, PayPal is ruthless and will do nothing to help if your funds are lost. And if your funds aren’t lost they may freeze your account for an unknown period of time because it was linked to suspicious activity. I don’t plan on using my PayPal debit card anymore because of the risk and also because it’s getting nerfed in a few months anyways so it won’t be particularly worth it.