Almost 20 years ago now paypal stole my $15 for no cause, I bought a videogame with it once off a major website, had $15 in it sitting around for 6 months, tried to use it to buy something off ebay and got locked out instantly. Then demanded all sorts of hoop jumping to get it back with notarized license and crap. Ive been saying screw them ever since, and not once have I regretted it. Every year there is some more shit showing that was the right move.
How many millions of dollars have they seized without cause? I can't believe they are still going, I can only hope someday somebody with a bit of money can sue their pants off in court and get them shut down.
I remember a long time ago on Reddit I saw a post saying (paraphrasing) "AMA: PayPal locked up $600,000 of my money because my video game is selling so quickly they think it is a scam." Turns out this was Notch selling early alpha versions of Minecraft off his personal website, which totally did look like a scam at the time.
I tried to sign up for paypal to send money collected from coworkers for a pregnancy gift. I had to sign up, enter my bank info, then verify deposits went through to use the bank account. Once I did that my account was instantly locked, then I still couldn’t use my account until I called customer support and scanned in my ID. I called them to delete the account and just bought a digital gift card online.
I thought companies can't profit off of unclaimed/abandoned money.
Was under the impression that funds like that eventually get handed over to whatever state agency is responsible for dealing with unclaimed property.
(If so, the cause might just be incompetence rather than greed or malice - not that incompetence is any better than malice when it comes to handling people's money)
At one point on the internet PayPal was the most trusted way to send and receive money - at least you are limiting sharing your personal payment information with random companies on the internet who may or may not be compliant. Lately though, with companies like Stripe and Plaid making it nearly frictionless to add payments to your website just as PP once did, and things like Google & Apple pay - why is there a need to use PayPal anymore? Their support is notoriously awful, the product is slow and dated, as a consumer at least I see no reason to not stop using PayPal (and their subsidies) entirely.
Paypal G&S generally always gets money back if something went wrong on a p2p transaction. I've been scammed once or twice, but I always use G&S and have received my money back in full.
If you don't use that, then you're pretty much screwed with Paypal F&F, Zelle, Cashapp, Venmo etc. At least as far as I'm aware.
PayPal is still the only place really that offers viable micropayment fee structure. At least that I know of. At ardour.org, where we have thousands of $1 payments per month, PayPal saves us 23c per $1 transaction.
AFAIK Stripe and Plaid support only a fraction of the countries that PayPal does. And PayPal is still a global brand - recognized by almost everyone, everywhere.
> was the most trusted way to send and receive money
This was mostly due to century old banking regulations and the difficulty for any new type of money processors to get themselves connected to the necessary backend systems to actually do anything.
It had absolutely nothing to do with the qualities of PayPal. In many ways they were simply the only game in town.
When I try to purchase something with my credit card directly on Best Buy's website, my order always gets cancelled (presumably something in their fraud algorithm), but when I pay using PayPal, the order goes through just fine.
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."
That does little to explain the 2 month-ish delay in disclosing it. I presume they could have disclosed _at least_ that account data was leaked even if the underlying bug wasn’t yet closed?
Obviously without disclosing the nature of the bug in that case.
They didn't delay the release because of law enforcement investigation, it doesn't say they didn't delay the release. There's a whole host of reasons besides "law enforcement investigation" to delay an embarrassing release, including "I don't wanna"
These kind of breaches are why I'm against KYC's current implementation.
If the government wants to know who I am, that's fine, I'm not here to fight law. I however don't think it should be necessary to tell banks and private businesses where I physically sleep. That is more information than they need to operate, and every few months it seems someone has a data breach.
> The company now offers affected users two years of free three-bureau credit monitoring and identity restoration services through Equifax, which require enrollment by June 30, 2026.
I think all companies just believe security doesn’t matter because the worst thing that can happen is they offer to pay for a credit monitoring. And the victims are powerless to pursue a meaningful lawsuit against them. Even when that happens, it results in a class action settlement where lawyers get a bunch of money and victims get very little.
I recently tried to sign up for paypal, "tried" being the operative word since their garbage, broken processes couldn't verify me despite bank info, etc.
After seeing their profound incompetence at customer acquisition, ineptitude on the security front is no surprise.
I think in general, it's getting harder and harder to 1. newly sign up for online services, and 2. come back to these services after long periods of inactivity. Everyone's got overly-aggressive automation that blocks you for no discernible reason, and endlessly requests more and more invasive "verification" schemes.
I hardly ever use my Microsoft account. Probably haven't logged into it for years. But recently I wanted to give my kid a few bucks to spend on Minecraft micro transactions, and boy, just logging in was a nightmare of verifications and codes and resets. And then making a purchase? Instantly denied with a vague error message that directed me to contact what turned out to be their fraud department. Totally user-hostile, when I'm just trying to get them to take my money.
The security tail seems to be wagging the dog at these companies.
Lets take the article at face value: "The financial technology company said it has reversed the code change that caused the incident, blocking attackers' access to the data one day after discovering the breach."
Great thats your bug. Key word here being BUG. Your name next to the commit that caused this.
Should you go to prison? Probably not.
Tell me you never had a bug, a security hole, never took production down. Never made a mistake. Tell me that you want to go to jail for human error. Not intent, error.
I've been thinking this way for several years now, what a fool I was! Corporations are the elite of society now. They can't fail, they pay off everyone of any importance, i.e., not you or I. The dog and pony show in congress involving FB is further proof they can do no wrong as long as they explain the law to the dolts in congress. (While being watched by SCOTUS, who are laughing their asses off.)
The rule of the corporate thumbs for several decades now is: it's more profitable to pay a fine then follow the law. (And if congress isn't keeping up with current tech which needs new laws to protect consumers, who cares?)
I've never used PayPal because someone signed up with my email to buy internet pornography before I could legally create an account at 18 years old. PayPal allows people to buy things without verifying the email, so now I'm stuck with it.
I could create a separate email, but I don't want to. I could take over the account, but I'm also unwilling to commit financial fraud. I called PayPal, and they said they couldn't do anything.
I've just used Stripe, Link, or directly used my credit card. Nothing bad has ever happened as a result. Any time I've had a dispute, I've been able to get a refund from my credit card company.
I also live in Canada. We have had "e-Transfer" since 2003, meaning I can securely email or text money to friends and family with no fees. So I don't need PayPal for that, either.
At this point, I just operate under the assumption that every bad actor out there already has my data. Six months of exposure is an eternity. It really makes you question the entire trade off: we hand over our personal information in exchange for ‘free’ or convenient services and this is what we get in return. The product-is-you model only works if the company holding your data actually bothers to protect it.
The ignorance of a company like PayPal is obviously bad.
That said, I think we need to have an equivalent of automated integration testing for security vulnerabilities.
Even if PenTesters (or whatever they're called these days) do some testing and uncover some bugs, the applications under continuous development will inevitably introduce "bugs" not seen before.
I think the paypal response at the bottom needs to be lifted to the top. It's way more terrifying to see "data breach" and "exposed data" when you don't know how many are affected and whether unauthorized access was part of the story or not.
Just saw this and tried logging in and got locked out, "please reset you password", but then the page fails to load after completing a captcha. So now I'm completely locked out? good job paypal.
I am still pissed at PayPal for stealing some money from me (this was probably a decade ago) - I opened a new PayPal account in India, and PayPal required me to add a Debit Card (Mastercard or Visa) to it. It also said that to verify the card, it would debit a dollar or two from it, and then refund it back. Bastards stole around Rs. 100 from me and never refunded it! (I was a broke student back then, so it hurt! :). In the midst of all that, India tightened its regulations on non-banking online transfers, and I don't remember exactly, but I think PayPal chose to partially exit the Indian market (because it couldn't compete and / or because it didn't want to abide by the regulations). Ebay also shut down in India around that time, if I remember right.
Irrelevant to the current breach, but at the end of the article...
> In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.
> Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.
I didn't hear about this New York case. I'm the first to lament the incredibly sorry state of affairs of data security, to the extent that such security exists at all, but it is insane that you can get fined $2,000,000 for your customers re-using e-mail + password combinations between sites and becoming compromised as a result. I truly loathe mandatory 2FA with every fiber of my being and I guess New York would like to enforce it on the world? Sigh. Everything about the internet just gets worse and worse, continuously.
Who still uses PayPal? I never hear it mentioned here anymore. They always were a scammy company, but especially very bad for sellers as they always side with the buyers. Locking up money for months of startups without cause etc. They terminated my seller account because 'fraud', no dispute possible. Years later they terminated my buyer account for 'fraud' no dispute possible. Never participated in anything that even looks like fraud but to their AI.
I use them pretty extensively. That way, whenever I need to rotate credit cards for whatever reason, I only need to update them in one location, rather than several.
Also, I’m using a single, common storage of credit card information, rather than needing to track 100s of different websites with potentially even more lax security.
I only use it when a seller doesn't offer any other way to pay, but there are still many, many sites that have it as the only option. A major one is Discogs; also quite a few artists on Bandcamp.
paypal is still around? I haven't seen any "accepts paypal" / paypal / checkout with paypal since around 2023 and the realization of it makes me unreasonably happy.
love the update at the bottom. 'our systems were not compromised' doing a lot of heavy lifting for 'a code change exposed SSNs to unauthorized individuals for six months.
When people want to make the case that Silicon Valley is evil, corrupt, awful and opposed to the welfare of people so should be obliterated with prejudice: example 1 will be PayPal.
The poster child for “there Is not nearly enough regulation”
I don’t agree with that so I’ve got to work out why paypal is such a total disgrace.
These are often undesirable features for SMEs that need to be accountable for a variety of reasons, including KYC regulations; besides, while blockchains provide protocol-level security, they fail in two ways that do matter to consumers:
- They provide no meaningful consumer protections (since this necessarily requires an authority, which blockchains may not have)
- They don't protect at all against meatspace vulnerabilities like scams and other deception-based attacks, which are by far the more common issue in banking. This is exacerbated by the lack of consumer protections.
(To be clear: don't read my comment as being in support of PayPal. They have abused user trust for a while, and I haven't had an account there in over a year -- fuck 'em.)
AngryData|9 days ago
How many millions of dollars have they seized without cause? I can't believe they are still going, I can only hope someday somebody with a bit of money can sue their pants off in court and get them shut down.
skizm|9 days ago
righthand|9 days ago
cj|9 days ago
Was under the impression that funds like that eventually get handed over to whatever state agency is responsible for dealing with unclaimed property.
(If so, the cause might just be incompetence rather than greed or malice - not that incompetence is any better than malice when it comes to handling people's money)
tmpfs|7 days ago
I think it is highly likely the wealth of the PayPal mafia founders is partly derived from this theft.
kiba|9 days ago
sunshinekitty|9 days ago
0x1ch|9 days ago
If you don't use that, then you're pretty much screwed with Paypal F&F, Zelle, Cashapp, Venmo etc. At least as far as I'm aware.
PaulDavisThe1st|9 days ago
dig1|9 days ago
themafia|9 days ago
This was mostly due to century old banking regulations and the difficulty for any new type of money processors to get themselves connected to the necessary backend systems to actually do anything.
It had absolutely nothing to do with the qualities of PayPal. In many ways they were simply the only game in town.
rationalist|9 days ago
When I try to purchase something with my credit card directly on Best Buy's website, my order always gets cancelled (presumably something in their fraud algorithm), but when I pay using PayPal, the order goes through just fine.
SoftTalker|9 days ago
latchkey|9 days ago
Not on my planet and I've run $100m+ through them over the years.
Insanity|9 days ago
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."
That does little to explain the 2 month-ish delay in disclosing it. I presume they could have disclosed _at least_ that account data was leaked even if the underlying bug wasn’t yet closed?
Obviously without disclosing the nature of the bug in that case.
malfist|9 days ago
They didn't delay the release because of law enforcement investigation, it doesn't say they didn't delay the release. There's a whole host of reasons besides "law enforcement investigation" to delay an embarrassing release, including "I don't wanna"
motbus3|9 days ago
dheera|9 days ago
If the government wants to know who I am, that's fine, I'm not here to fight law. I however don't think it should be necessary to tell banks and private businesses where I physically sleep. That is more information than they need to operate, and every few months it seems someone has a data breach.
cmehdy|9 days ago
How tasteful.
SilverElfin|9 days ago
SoftTalker|9 days ago
elphinstone|9 days ago
After seeing their profound incompetence at customer acquisition, ineptitude on the security front is no surprise.
ryandrake|9 days ago
I hardly ever use my Microsoft account. Probably haven't logged into it for years. But recently I wanted to give my kid a few bucks to spend on Minecraft micro transactions, and boy, just logging in was a nightmare of verifications and codes and resets. And then making a purchase? Instantly denied with a vague error message that directed me to contact what turned out to be their fraud department. Totally user-hostile, when I'm just trying to get them to take my money.
The security tail seems to be wagging the dog at these companies.
TitaRusell|9 days ago
raron|9 days ago
sevenzero|9 days ago
jimnotgym|9 days ago
zer00eyz|9 days ago
Lets take the article at face value: "The financial technology company said it has reversed the code change that caused the incident, blocking attackers' access to the data one day after discovering the breach."
Great thats your bug. Key word here being BUG. Your name next to the commit that caused this.
Should you go to prison? Probably not.
Tell me you never had a bug, a security hole, never took production down. Never made a mistake. Tell me that you want to go to jail for human error. Not intent, error.
bloomingeek|9 days ago
The rule of the corporate thumbs for several decades now is: it's more profitable to pay a fine then follow the law. (And if congress isn't keeping up with current tech which needs new laws to protect consumers, who cares?)
jjmarr|9 days ago
I could create a separate email, but I don't want to. I could take over the account, but I'm also unwilling to commit financial fraud. I called PayPal, and they said they couldn't do anything.
I've just used Stripe, Link, or directly used my credit card. Nothing bad has ever happened as a result. Any time I've had a dispute, I've been able to get a refund from my credit card company.
I also live in Canada. We have had "e-Transfer" since 2003, meaning I can securely email or text money to friends and family with no fees. So I don't need PayPal for that, either.
bicepjai|7 days ago
josefritzishere|9 days ago
lurkercodemnky|9 days ago
That said, I think we need to have an equivalent of automated integration testing for security vulnerabilities.
Even if PenTesters (or whatever they're called these days) do some testing and uncover some bugs, the applications under continuous development will inevitably introduce "bugs" not seen before.
lacoolj|9 days ago
anon_cow1111|8 days ago
thisislife2|9 days ago
dmitrygr|9 days ago
anonymous908213|9 days ago
> In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.
> Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.
I didn't hear about this New York case. I'm the first to lament the incredibly sorry state of affairs of data security, to the extent that such security exists at all, but it is insane that you can get fined $2,000,000 for your customers re-using e-mail + password combinations between sites and becoming compromised as a result. I truly loathe mandatory 2FA with every fiber of my being and I guess New York would like to enforce it on the world? Sigh. Everything about the internet just gets worse and worse, continuously.
thunderfork|9 days ago
chrneu|9 days ago
stefandesu|8 days ago
anonzzzies|9 days ago
Wish them many bad press.
t-writescode|9 days ago
Also, I’m using a single, common storage of credit card information, rather than needing to track 100s of different websites with potentially even more lax security.
gpvos|9 days ago
himata4113|9 days ago
yieldcrv|9 days ago
kevincloudsec|9 days ago
harry8|9 days ago
The poster child for “there Is not nearly enough regulation”
I don’t agree with that so I’ve got to work out why paypal is such a total disgrace.
oxqbldpxo|9 days ago
rickknowlton|9 days ago
shog_hn|9 days ago
flipped|9 days ago
[deleted]
_verandaguy|9 days ago
- They provide no meaningful consumer protections (since this necessarily requires an authority, which blockchains may not have)
- They don't protect at all against meatspace vulnerabilities like scams and other deception-based attacks, which are by far the more common issue in banking. This is exacerbated by the lack of consumer protections.
(To be clear: don't read my comment as being in support of PayPal. They have abused user trust for a while, and I haven't had an account there in over a year -- fuck 'em.)
pennomi|9 days ago
draygonia|9 days ago
dhayabaran|8 days ago
[deleted]