Hackers are mysteriously stealing from PayPal accounts for online shopping

By Shubham Sharma

Feb 25, 2020

06:35 pm

What's the story

PayPal, one of the biggest payment platforms in the world, has been marred by a major, albeit unknown, security flaw. According to multiple reports, hackers have been exploiting this vulnerability to steal money from unsuspecting users and then use the same for shopping online. PayPal, on the other hand, says it's currently investigating the whole matter. Here's all you need to know about it.

Issue

Mysterious PayPal payments via Google Pay

Over the last few days, a number of PayPal users took to the company's own forums as well as social media platforms like Reddit and Twitter to report unauthorized payments from their accounts. They claimed that the mysterious transactions - revealed from their PayPal account history - were made using their Google Pay account for buying random products online.

Targets

Most of the targeted users were Germans

Going by the reports, cited by ZDNet, most of the mysterious transactions were carried out at stores in the US, particularly at Target stores, while a majority of the targeted users were those hailing from Germany and Russia. The complaints go in the scale of dozens and the amount stolen so far is estimated to be around tens of thousands of dollars.

Reason

No word on exact cause of this issue

The case of hackers breaking into PayPal and making unauthorized payments challenges the core of the payments service. It is not exactly clear how the threat actors are doing this or what kind of bug they are exploiting to get into accounts. However, security researcher Markus Fenske suggests the problem might be associated with PayPal's virtual card-based integration of Google Pay for contactless payments.

Twitter Post

Fenske said they informed PayPal about this a year ago

I think we can disclose it by now.

Issue: PayPal allows contactless payments via Google Pay. If you have set it up, you can read the card details of a virtual credit card from the mobile, if the mobiles device is enabled. No auth.

— iblue (@iblueconnection) February 24, 2020

Response

What PayPal says on this?

PayPal says it's looking into the unauthorized transactions but has not given an answer to explain how exactly the money was stolen from the accounts. "The security of customer accounts is a top priority for the company," a company spokesperson told ZDNet. "We are reviewing and assessing this information and will take any appropriate actions that are deemed necessary to further protect our customers."