Security News

An ongoing PayPal email scam exploits the platform's address settings to send fake purchase notifications, tricking users into granting remote access to scammers [...]

New York State has announced a $2,000,000 settlement with PayPal over charges it failed to comply with the state's cybersecurity regulations, leading to a 2022 data breach. [...]

"The theft of cookies is a sophisticated form of cyberattack, where an attacker steals or copies cookies from a victim's computer onto the attacker's web browser," PayPal says in the patent application. "With stolen cookies often containing hashed passwords, the attacker can use a web browser on the attacker's computer to impersonate the user and gain access to secure information associated with the user's account without having to manually login or provide authentication credentials," it is further explained.

Three supporters of activists against a $90 million police training facility dubbed Cop City were arrested after the cops used PayPal data to bring money-laundering charges against the trio. Police cuffed 39-year-old Marlon Scott Kautz and 42-year-old Adele Maclean, both of Atlanta, Georgia, and 30-year-old Savannah Patterson, of Savannah, and charged them with money laundering and charity fraud at the end of May. The three, as board members of the Atlanta Solidarity Fund, help arrange legal advice, bail funds, and other support for those who oppose the southern US state's Cop City and run into trouble with the authorities.

Scammers are now exploiting the ongoing humanitarian crisis in Turkey and Syria: this time stealing donations by abusing legitimate platforms like PayPal and Twitter. BleepingComputer has identified multiple scams running on Twitter and abusing legitimate platforms like PayPal's fundraising pages to create convincing scam websites and collect proceeds from donors hoping to aid earthquake victims.

The personal information of 35,000 PayPal users was exposed in December, according to a notification letter sent to the online payment company's customers this week. PayPal attributed this privacy breach to "Unauthorized parties," who accessed accounts using customer login credentials.

PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data. Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.

The bad thing about this scam is that it's astonishingly easy for criminals to set up, and it carefully avoids sending spoofed emails or tricking you to visit bogus websites, because the crooks use a PayPal service to generate their initial contact via official PayPal servers. Email scammers therefore often go out of their way to ensure that their first contact with potential victims involves messages that really do come from genuine sites or online services, and that link to servers that really are run by those same legitimate sites.

PayPal has added passkeys for passwordless login to accounts across Apple devices. Passkeys allows users to login to accounts with cryptographic key pairs instead of passwords.

Brian Krebs is reporting on a clever PayPal phishing scam that uses legitimate PayPal messaging. Basically, the scammers use the PayPal invoicing system to send the email.