Almost 20 years ago now paypal stole my $15 for no cause, I bought a videogame with it once off a major website, had $15 in it sitting around for 6 months, tried to use it to buy something off ebay and got locked out instantly. Then demanded all sorts of hoop jumping to get it back with notarized license and crap. Ive been saying screw them ever since, and not once have I regretted it. Every year there is some more shit showing that was the right move.
How many millions of dollars have they seized without cause? I can't believe they are still going, I can only hope someday somebody with a bit of money can sue their pants off in court and get them shut down.
I tried to sign up for paypal to send money collected from coworkers for a pregnancy gift. I had to sign up, enter my bank info, then verify deposits went through to use the bank account. Once I did that my account was instantly locked, then I still couldn’t use my account until I called customer support and scanned in my ID. I called them to delete the account and just bought a digital gift card online.
At one point on the internet PayPal was the most trusted way to send and receive money - at least you are limiting sharing your personal payment information with random companies on the internet who may or may not be compliant. Lately though, with companies like Stripe and Plaid making it nearly frictionless to add payments to your website just as PP once did, and things like Google & Apple pay - why is there a need to use PayPal anymore? Their support is notoriously awful, the product is slow and dated, as a consumer at least I see no reason to not stop using PayPal (and their subsidies) entirely.
AFAIK Stripe and Plaid support only a fraction of the countries that PayPal does. And PayPal is still a global brand - recognized by almost everyone, everywhere.
Paypal G&S generally always gets money back if something went wrong on a p2p transaction. I've been scammed once or twice, but I always use G&S and have received my money back in full.
If you don't use that, then you're pretty much screwed with Paypal F&F, Zelle, Cashapp, Venmo etc. At least as far as I'm aware.
Wasn't PayPal at least at one time an easier way to support foreign transactions? Stripe was US-only last time I used it (which was years ago).
paypal is still around? I haven't seen any "accepts paypal" / paypal / checkout with paypal since around 2023 and the realization of it makes me unreasonably happy.
So from the Article they claim:
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."
That does little to explain the 2 month-ish delay in disclosing it. I presume they could have disclosed _at least_ that account data was leaked even if the underlying bug wasn’t yet closed?
Obviously without disclosing the nature of the bug in that case.
It's one of those "suspiciously specific denials"
They didn't delay the release because of law enforcement investigation, it doesn't say they didn't delay the release. There's a whole host of reasons besides "law enforcement investigation" to delay an embarrassing release, including "I don't wanna"
The quote is: "We have not delayed this notification as a result of any law enforcement investigation"
The obvious example here would be if the NSA or other agency that isn't law enforcement led the investigation.
But further abuse of the English language reveals a different conclusion. This was not delayed as a result of any law enforcement investigation. It could have been delayed as a result of a specific law enforcement investigation. Furthermore, the word "result" implies that it is tied to the conclusion of said investigation(s). It could in fact have been delayed because of a pending law enforcement investigation.
Just before Christmas? I doubt it
I recently tried to sign up for paypal, "tried" being the operative word since their garbage, broken processes couldn't verify me despite bank info, etc.
After seeing their profound incompetence at customer acquisition, ineptitude on the security front is no surprise.
I think in general, it's getting harder and harder to 1. newly sign up for online services, and 2. come back to these services after long periods of inactivity. Everyone's got overly-aggressive automation that blocks you for no discernible reason, and endlessly requests more and more invasive "verification" schemes.
I hardly ever use my Microsoft account. Probably haven't logged into it for years. But recently I wanted to give my kid a few bucks to spend on Minecraft micro transactions, and boy, just logging in was a nightmare of verifications and codes and resets. And then making a purchase? Instantly denied with a vague error message that directed me to contact what turned out to be their fraud department. Totally user-hostile, when I'm just trying to get them to take my money.
The security tail seems to be wagging the dog at these companies.
Great, who from PayPal is going to jail over this?
Wow!
Lets take the article at face value: "The financial technology company said it has reversed the code change that caused the incident, blocking attackers' access to the data one day after discovering the breach."
Great thats your bug. Key word here being BUG. Your name next to the commit that caused this.
Should you go to prison? Probably not.
Tell me you never had a bug, a security hole, never took production down. Never made a mistake. Tell me that you want to go to jail for human error. Not intent, error.
When a bridge falls, there is a case in the courts, and sometimes engineers go to prison.
Why shall be different with code?
The defense for the civil engineer is that his design was in accordance with usual and customary engineering standards. If he did something unusual or new, he might be liable if that was the root cause of the failure. If he signed off on a sound design, he's probably OK.
Should work the same with software. The problem is that nobody learns that, schools don't teach it (school isn't even required to be a software developer), and there's no licencing bodies that enforce it. And, ultimately, most software failures don't cause death or injury.
Not OP, but 40 years in software, so here’s your answer — abstraction is the essence of programming. Get good enough at this, with a poor moral compass, and you can justify your code doing anything with no accountability whatsoever.
Corporate software engineers learn early on that they’re only responsible for their keystrokes (e.g., bug tickets, code formatting), not for the effects of their work (e.g., more efficient distribution of child pornography).
Most developers are so inured to this that they react defensively by reflex to any suggestion that their code should have done _anything_ other than what it did. They’re not responsible, see?
I don’t know about civil engineering but don’t people only go to jail for negligence or worse?
Similarly, if the change was a bug, write a postmortem, find ways to make the whole and move on. If it was malicious, then prosecute.
I doubt it was malicious though.
> Why shall be different with code?
Quite possibly cause software engineering feels like tofu dreg construction all of the way down - it's a bunch of suits pushing devs to make features with ever changing technologies and practices where the framework/technology/approach of the year/month/week eats up all of the focus and nobody ever establishes proper good baselines and standards of what "good code" is and instead the nerds argue ad infinitum about a bunch of subjective stuff while drowning in accidental complexity, made worse by microservices, AI slop and chasing after zero downtime instead of zero bugs. It's bad incentives all the way down. On the other end of the spectrum, you have codebases that perhaps should have taken advantage of some of the newfound wisdom of the past 40 years, but instead they're written in COBOL or FORTRAN and the last devs who know the tech are literally dying out.
There's nigh infinite combinations of tech stacks out there and because corpos literally won't incentivize people to not job hop, you don't really get that many specialists with 20 years of experience in a given technology that at least have a chance at catching the stuff that formal code analysis and other tooling didn't because nobody cares that much about validating correctness past saying "Yeah, obviously you should have some test coverage." To be more clear, whoever came up with the idea of wiring up the internals of your app at runtime on startup instead of during compilation, a la the majority of Spring and Spring Boot, should go to jail. And everyone who made dynamic languages as well.
Put everyone in jail for daring to be employed in that shitshow: devs, execs and the tech vendors as well, for not prioritizing the code correctness like you would in a spaceship (aside from Ariane 5) or a plane (aside from MCAS) or proper financial systems (aside from Knight Capital) or CPUs (aside from the Pentium FDIV bug). Sure, there plenty of proper engineering out there, but my experience makes me view the claim that we should treat software like "real engineering" as a sick joke, when so much of the stuff I've seen and used isn't, about the same confusion that you'd get when you'd suggest that 100% code coverage is something that you should do if you're serious, though obviously that would make you never ship and we can't have that. Software is like the Wild West except people pretend to be serious, some days it feels like the only winning move is not to play (and to starve).
Sorry about the rant, pissed off at the status quo and the state of the industry, it feels like building a house of cards, except some of the cards aren't even rectangular. They wasted millions in my country to make a not working e-health system, for a country of like 2 million people. I'm not surprised in the slightest that breaches and fuckups will happen with the large orgs too aplenty. It's absurd, the world we live in.
This is a terrible analogy.
You're comparing a failing bridge to an attack.
These things are not the same.
We did not sue the designers of the World Trade Center because their buildings could not withstand being hit by a plane.
I've been thinking this way for several years now, what a fool I was! Corporations are the elite of society now. They can't fail, they pay off everyone of any importance, i.e., not you or I. The dog and pony show in congress involving FB is further proof they can do no wrong as long as they explain the law to the dolts in congress. (While being watched by SCOTUS, who are laughing their asses off.)
The rule of the corporate thumbs for several decades now is: it's more profitable to pay a fine then follow the law. (And if congress isn't keeping up with current tech which needs new laws to protect consumers, who cares?)
They're people but also not people!
Lol what an amazing con the oligarchs managed to pull. They get to reap all the rewards of their parasitic selfish behavior with basically none of the risk. Just make a corp.
Hopefully WERO will finally wipe out PayPal in Europe. Despite the ridiculous name.
Didn't see a single store i regularly buy from offer it yet unfortunately
> The company now offers affected users two years of free three-bureau credit monitoring and identity restoration services through Equifax, which require enrollment by June 30, 2026.
I think all companies just believe security doesn’t matter because the worst thing that can happen is they offer to pay for a credit monitoring. And the victims are powerless to pursue a meaningful lawsuit against them. Even when that happens, it results in a class action settlement where lawyers get a bunch of money and victims get very little.
love the update at the bottom. 'our systems were not compromised' doing a lot of heavy lifting for 'a code change exposed SSNs to unauthorized individuals for six months.
The ignorance of a company like PayPal is obviously bad.
That said, I think we need to have an equivalent of automated integration testing for security vulnerabilities.
Even if PenTesters (or whatever they're called these days) do some testing and uncover some bugs, the applications under continuous development will inevitably introduce "bugs" not seen before.
These kind of breaches are why I'm against KYC's current implementation.
If the government wants to know who I am, that's fine, I'm not here to fight law. I however don't think it should be necessary to tell banks and private businesses where I physically sleep. That is more information than they need to operate, and every few months it seems someone has a data breach.
Irrelevant to the current breach, but at the end of the article...
> In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.
> Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.
I didn't hear about this New York case. I'm the first to lament the incredibly sorry state of affairs of data security, to the extent that such security exists at all, but it is insane that you can get fined $2,000,000 for your customers re-using e-mail + password combinations between sites and becoming compromised as a result. I truly loathe mandatory 2FA with every fiber of my being and I guess New York would like to enforce it on the world? Sigh. Everything about the internet just gets worse and worse, continuously.
I got like $230 from that paypal breach. Pretty rad.
You don't have to do 2FA, but there's liability in being vulnerable to credential-stuffing, and 2FA is one of many ways to mitigate that.
There should be legal penalties for failing to inform users in a timely fashion. A 6 month delay is ridiculous. They put all their users at risk.
Imagine when Palantir gets hacked.
in a way the data can't really get into worse hands than palantir, can it? lol jk
This is the reason you should be using Monero. The benefits are extremely fruitful for everyone. Private, untraceable, full control over your funds, no breach possible.
These are often undesirable features for SMEs that need to be accountable for a variety of reasons, including KYC regulations; besides, while blockchains provide protocol-level security, they fail in two ways that do matter to consumers:
- They provide no meaningful consumer protections (since this necessarily requires an authority, which blockchains may not have)
- They don't protect at all against meatspace vulnerabilities like scams and other deception-based attacks, which are by far the more common issue in banking. This is exacerbated by the lack of consumer protections.
(To be clear: don't read my comment as being in support of PayPal. They have abused user trust for a while, and I haven't had an account there in over a year -- fuck 'em.)
Cash has no consumer protections. I use it all the time. I don't expect to have any consumer protections from crypto either.
What percentage of businesses actually accept monero?
Aside from it being an unstable store of value, but that's a problem with all cryptos (and stablecoins, when they collapse).
Almost 20 years ago now paypal stole my $15 for no cause, I bought a videogame with it once off a major website, had $15 in it sitting around for 6 months, tried to use it to buy something off ebay and got locked out instantly. Then demanded all sorts of hoop jumping to get it back with notarized license and crap. Ive been saying screw them ever since, and not once have I regretted it. Every year there is some more shit showing that was the right move.
How many millions of dollars have they seized without cause? I can't believe they are still going, I can only hope someday somebody with a bit of money can sue their pants off in court and get them shut down.
I tried to sign up for paypal to send money collected from coworkers for a pregnancy gift. I had to sign up, enter my bank info, then verify deposits went through to use the bank account. Once I did that my account was instantly locked, then I still couldn’t use my account until I called customer support and scanned in my ID. I called them to delete the account and just bought a digital gift card online.
At one point on the internet PayPal was the most trusted way to send and receive money - at least you are limiting sharing your personal payment information with random companies on the internet who may or may not be compliant. Lately though, with companies like Stripe and Plaid making it nearly frictionless to add payments to your website just as PP once did, and things like Google & Apple pay - why is there a need to use PayPal anymore? Their support is notoriously awful, the product is slow and dated, as a consumer at least I see no reason to not stop using PayPal (and their subsidies) entirely.
AFAIK Stripe and Plaid support only a fraction of the countries that PayPal does. And PayPal is still a global brand - recognized by almost everyone, everywhere.
Paypal G&S generally always gets money back if something went wrong on a p2p transaction. I've been scammed once or twice, but I always use G&S and have received my money back in full.
If you don't use that, then you're pretty much screwed with Paypal F&F, Zelle, Cashapp, Venmo etc. At least as far as I'm aware.
Wasn't PayPal at least at one time an easier way to support foreign transactions? Stripe was US-only last time I used it (which was years ago).
paypal is still around? I haven't seen any "accepts paypal" / paypal / checkout with paypal since around 2023 and the realization of it makes me unreasonably happy.
So from the Article they claim:
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."
That does little to explain the 2 month-ish delay in disclosing it. I presume they could have disclosed _at least_ that account data was leaked even if the underlying bug wasn’t yet closed?
Obviously without disclosing the nature of the bug in that case.
It's one of those "suspiciously specific denials"
They didn't delay the release because of law enforcement investigation, it doesn't say they didn't delay the release. There's a whole host of reasons besides "law enforcement investigation" to delay an embarrassing release, including "I don't wanna"
The quote is: "We have not delayed this notification as a result of any law enforcement investigation"
The obvious example here would be if the NSA or other agency that isn't law enforcement led the investigation.
But further abuse of the English language reveals a different conclusion. This was not delayed as a result of any law enforcement investigation. It could have been delayed as a result of a specific law enforcement investigation. Furthermore, the word "result" implies that it is tied to the conclusion of said investigation(s). It could in fact have been delayed because of a pending law enforcement investigation.
Just before Christmas? I doubt it
I recently tried to sign up for paypal, "tried" being the operative word since their garbage, broken processes couldn't verify me despite bank info, etc.
After seeing their profound incompetence at customer acquisition, ineptitude on the security front is no surprise.
I think in general, it's getting harder and harder to 1. newly sign up for online services, and 2. come back to these services after long periods of inactivity. Everyone's got overly-aggressive automation that blocks you for no discernible reason, and endlessly requests more and more invasive "verification" schemes.
I hardly ever use my Microsoft account. Probably haven't logged into it for years. But recently I wanted to give my kid a few bucks to spend on Minecraft micro transactions, and boy, just logging in was a nightmare of verifications and codes and resets. And then making a purchase? Instantly denied with a vague error message that directed me to contact what turned out to be their fraud department. Totally user-hostile, when I'm just trying to get them to take my money.
The security tail seems to be wagging the dog at these companies.
Great, who from PayPal is going to jail over this?
Wow!
Lets take the article at face value: "The financial technology company said it has reversed the code change that caused the incident, blocking attackers' access to the data one day after discovering the breach."
Great thats your bug. Key word here being BUG. Your name next to the commit that caused this.
Should you go to prison? Probably not.
Tell me you never had a bug, a security hole, never took production down. Never made a mistake. Tell me that you want to go to jail for human error. Not intent, error.
When a bridge falls, there is a case in the courts, and sometimes engineers go to prison.
Why shall be different with code?
The defense for the civil engineer is that his design was in accordance with usual and customary engineering standards. If he did something unusual or new, he might be liable if that was the root cause of the failure. If he signed off on a sound design, he's probably OK.
Should work the same with software. The problem is that nobody learns that, schools don't teach it (school isn't even required to be a software developer), and there's no licencing bodies that enforce it. And, ultimately, most software failures don't cause death or injury.
Not OP, but 40 years in software, so here’s your answer — abstraction is the essence of programming. Get good enough at this, with a poor moral compass, and you can justify your code doing anything with no accountability whatsoever.
Corporate software engineers learn early on that they’re only responsible for their keystrokes (e.g., bug tickets, code formatting), not for the effects of their work (e.g., more efficient distribution of child pornography).
Most developers are so inured to this that they react defensively by reflex to any suggestion that their code should have done _anything_ other than what it did. They’re not responsible, see?
I don’t know about civil engineering but don’t people only go to jail for negligence or worse?
Similarly, if the change was a bug, write a postmortem, find ways to make the whole and move on. If it was malicious, then prosecute.
I doubt it was malicious though.
> Why shall be different with code?
Quite possibly cause software engineering feels like tofu dreg construction all of the way down - it's a bunch of suits pushing devs to make features with ever changing technologies and practices where the framework/technology/approach of the year/month/week eats up all of the focus and nobody ever establishes proper good baselines and standards of what "good code" is and instead the nerds argue ad infinitum about a bunch of subjective stuff while drowning in accidental complexity, made worse by microservices, AI slop and chasing after zero downtime instead of zero bugs. It's bad incentives all the way down. On the other end of the spectrum, you have codebases that perhaps should have taken advantage of some of the newfound wisdom of the past 40 years, but instead they're written in COBOL or FORTRAN and the last devs who know the tech are literally dying out.
There's nigh infinite combinations of tech stacks out there and because corpos literally won't incentivize people to not job hop, you don't really get that many specialists with 20 years of experience in a given technology that at least have a chance at catching the stuff that formal code analysis and other tooling didn't because nobody cares that much about validating correctness past saying "Yeah, obviously you should have some test coverage." To be more clear, whoever came up with the idea of wiring up the internals of your app at runtime on startup instead of during compilation, a la the majority of Spring and Spring Boot, should go to jail. And everyone who made dynamic languages as well.
Put everyone in jail for daring to be employed in that shitshow: devs, execs and the tech vendors as well, for not prioritizing the code correctness like you would in a spaceship (aside from Ariane 5) or a plane (aside from MCAS) or proper financial systems (aside from Knight Capital) or CPUs (aside from the Pentium FDIV bug). Sure, there plenty of proper engineering out there, but my experience makes me view the claim that we should treat software like "real engineering" as a sick joke, when so much of the stuff I've seen and used isn't, about the same confusion that you'd get when you'd suggest that 100% code coverage is something that you should do if you're serious, though obviously that would make you never ship and we can't have that. Software is like the Wild West except people pretend to be serious, some days it feels like the only winning move is not to play (and to starve).
Sorry about the rant, pissed off at the status quo and the state of the industry, it feels like building a house of cards, except some of the cards aren't even rectangular. They wasted millions in my country to make a not working e-health system, for a country of like 2 million people. I'm not surprised in the slightest that breaches and fuckups will happen with the large orgs too aplenty. It's absurd, the world we live in.
This is a terrible analogy.
You're comparing a failing bridge to an attack.
These things are not the same.
We did not sue the designers of the World Trade Center because their buildings could not withstand being hit by a plane.
I've been thinking this way for several years now, what a fool I was! Corporations are the elite of society now. They can't fail, they pay off everyone of any importance, i.e., not you or I. The dog and pony show in congress involving FB is further proof they can do no wrong as long as they explain the law to the dolts in congress. (While being watched by SCOTUS, who are laughing their asses off.)
The rule of the corporate thumbs for several decades now is: it's more profitable to pay a fine then follow the law. (And if congress isn't keeping up with current tech which needs new laws to protect consumers, who cares?)
They're people but also not people!
Lol what an amazing con the oligarchs managed to pull. They get to reap all the rewards of their parasitic selfish behavior with basically none of the risk. Just make a corp.
Hopefully WERO will finally wipe out PayPal in Europe. Despite the ridiculous name.
Didn't see a single store i regularly buy from offer it yet unfortunately
> The company now offers affected users two years of free three-bureau credit monitoring and identity restoration services through Equifax, which require enrollment by June 30, 2026.
How tasteful.
https://en.wikipedia.org/wiki/2017_Equifax_data_breach
I think all companies just believe security doesn’t matter because the worst thing that can happen is they offer to pay for a credit monitoring. And the victims are powerless to pursue a meaningful lawsuit against them. Even when that happens, it results in a class action settlement where lawyers get a bunch of money and victims get very little.
love the update at the bottom. 'our systems were not compromised' doing a lot of heavy lifting for 'a code change exposed SSNs to unauthorized individuals for six months.
The ignorance of a company like PayPal is obviously bad.
That said, I think we need to have an equivalent of automated integration testing for security vulnerabilities.
Even if PenTesters (or whatever they're called these days) do some testing and uncover some bugs, the applications under continuous development will inevitably introduce "bugs" not seen before.
These kind of breaches are why I'm against KYC's current implementation.
If the government wants to know who I am, that's fine, I'm not here to fight law. I however don't think it should be necessary to tell banks and private businesses where I physically sleep. That is more information than they need to operate, and every few months it seems someone has a data breach.
Irrelevant to the current breach, but at the end of the article...
> In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.
> Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.
I didn't hear about this New York case. I'm the first to lament the incredibly sorry state of affairs of data security, to the extent that such security exists at all, but it is insane that you can get fined $2,000,000 for your customers re-using e-mail + password combinations between sites and becoming compromised as a result. I truly loathe mandatory 2FA with every fiber of my being and I guess New York would like to enforce it on the world? Sigh. Everything about the internet just gets worse and worse, continuously.
I got like $230 from that paypal breach. Pretty rad.
You don't have to do 2FA, but there's liability in being vulnerable to credential-stuffing, and 2FA is one of many ways to mitigate that.
There should be legal penalties for failing to inform users in a timely fashion. A 6 month delay is ridiculous. They put all their users at risk.
Imagine when Palantir gets hacked.
in a way the data can't really get into worse hands than palantir, can it? lol jk
This is the reason you should be using Monero. The benefits are extremely fruitful for everyone. Private, untraceable, full control over your funds, no breach possible.
These are often undesirable features for SMEs that need to be accountable for a variety of reasons, including KYC regulations; besides, while blockchains provide protocol-level security, they fail in two ways that do matter to consumers:
- They provide no meaningful consumer protections (since this necessarily requires an authority, which blockchains may not have)
- They don't protect at all against meatspace vulnerabilities like scams and other deception-based attacks, which are by far the more common issue in banking. This is exacerbated by the lack of consumer protections.
(To be clear: don't read my comment as being in support of PayPal. They have abused user trust for a while, and I haven't had an account there in over a year -- fuck 'em.)
Cash has no consumer protections. I use it all the time. I don't expect to have any consumer protections from crypto either.
What percentage of businesses actually accept monero?
Aside from it being an unstable store of value, but that's a problem with all cryptos (and stablecoins, when they collapse).