How many millions of dollars have they seized without cause? I can't believe they are still going, I can only hope someday somebody with a bit of money can sue their pants off in court and get them shut down.
Was under the impression that funds like that eventually get handed over to whatever state agency is responsible for dealing with unclaimed property.
(If so, the cause might just be incompetence rather than greed or malice - not that incompetence is any better than malice when it comes to handling people's money)
I think it is highly likely the wealth of the PayPal mafia founders is partly derived from this theft.
If you don't use that, then you're pretty much screwed with Paypal F&F, Zelle, Cashapp, Venmo etc. At least as far as I'm aware.
This was mostly due to century old banking regulations and the difficulty for any new type of money processors to get themselves connected to the necessary backend systems to actually do anything.
It had absolutely nothing to do with the qualities of PayPal. In many ways they were simply the only game in town.
When I try to purchase something with my credit card directly on Best Buy's website, my order always gets cancelled (presumably something in their fraud algorithm), but when I pay using PayPal, the order goes through just fine.
But PayPal probably existed and was easier for merchants in more countries than other payment services at certain points.
Not on my planet and I've run $100m+ through them over the years.
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."
That does little to explain the 2 month-ish delay in disclosing it. I presume they could have disclosed _at least_ that account data was leaked even if the underlying bug wasn’t yet closed?
Obviously without disclosing the nature of the bug in that case.
They didn't delay the release because of law enforcement investigation, it doesn't say they didn't delay the release. There's a whole host of reasons besides "law enforcement investigation" to delay an embarrassing release, including "I don't wanna"
The obvious example here would be if the NSA or other agency that isn't law enforcement led the investigation.
But further abuse of the English language reveals a different conclusion. This was not delayed as a result of any law enforcement investigation. It could have been delayed as a result of a specific law enforcement investigation. Furthermore, the word "result" implies that it is tied to the conclusion of said investigation(s). It could in fact have been delayed because of a pending law enforcement investigation.
If the government wants to know who I am, that's fine, I'm not here to fight law. I however don't think it should be necessary to tell banks and private businesses where I physically sleep. That is more information than they need to operate, and every few months it seems someone has a data breach.
How tasteful.
After seeing their profound incompetence at customer acquisition, ineptitude on the security front is no surprise.
I hardly ever use my Microsoft account. Probably haven't logged into it for years. But recently I wanted to give my kid a few bucks to spend on Minecraft micro transactions, and boy, just logging in was a nightmare of verifications and codes and resets. And then making a purchase? Instantly denied with a vague error message that directed me to contact what turned out to be their fraud department. Totally user-hostile, when I'm just trying to get them to take my money.
The security tail seems to be wagging the dog at these companies.
Lets take the article at face value: "The financial technology company said it has reversed the code change that caused the incident, blocking attackers' access to the data one day after discovering the breach."
Great thats your bug. Key word here being BUG. Your name next to the commit that caused this.
Should you go to prison? Probably not.
Tell me you never had a bug, a security hole, never took production down. Never made a mistake. Tell me that you want to go to jail for human error. Not intent, error.
Why shall be different with code?
The rule of the corporate thumbs for several decades now is: it's more profitable to pay a fine then follow the law. (And if congress isn't keeping up with current tech which needs new laws to protect consumers, who cares?)
Lol what an amazing con the oligarchs managed to pull. They get to reap all the rewards of their parasitic selfish behavior with basically none of the risk. Just make a corp.
I could create a separate email, but I don't want to. I could take over the account, but I'm also unwilling to commit financial fraud. I called PayPal, and they said they couldn't do anything.
I've just used Stripe, Link, or directly used my credit card. Nothing bad has ever happened as a result. Any time I've had a dispute, I've been able to get a refund from my credit card company.
I also live in Canada. We have had "e-Transfer" since 2003, meaning I can securely email or text money to friends and family with no fees. So I don't need PayPal for that, either.
That said, I think we need to have an equivalent of automated integration testing for security vulnerabilities.
Even if PenTesters (or whatever they're called these days) do some testing and uncover some bugs, the applications under continuous development will inevitably introduce "bugs" not seen before.
> In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.
> Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.
I didn't hear about this New York case. I'm the first to lament the incredibly sorry state of affairs of data security, to the extent that such security exists at all, but it is insane that you can get fined $2,000,000 for your customers re-using e-mail + password combinations between sites and becoming compromised as a result. I truly loathe mandatory 2FA with every fiber of my being and I guess New York would like to enforce it on the world? Sigh. Everything about the internet just gets worse and worse, continuously.
Wish them many bad press.
Also, I’m using a single, common storage of credit card information, rather than needing to track 100s of different websites with potentially even more lax security.
The poster child for “there Is not nearly enough regulation”
I don’t agree with that so I’ve got to work out why paypal is such a total disgrace.
