I am still pissed at PayPal for stealing some money from me (this was probably a decade ago) - I opened a new PayPal account in India, and PayPal required me to add a Debit Card (Mastercard or Visa) to it. It also said that to verify the card, it would debit a dollar or two from it, and then refund it back. Bastards stole around Rs. 100 from me and never refunded it! (I was a broke student back then, so it hurt! :). In the midst of all that, India tightened its regulations on non-banking online transfers, and I don't remember exactly, but I think PayPal chose to partially exit the Indian market (because it couldn't compete and / or because it didn't want to abide by the regulations). Ebay also shut down in India around that time, if I remember right.

These kind of breaches are why I'm against KYC's current implementation.

If the government wants to know who I am, that's fine, I'm not here to fight law. I however don't think it should be necessary to tell banks and private businesses where I physically sleep. That is more information than they need to operate, and every few months it seems someone has a data breach.

Yet another reason I deleted my main paypal account years back. Don't trust them.

The ignorance of a company like PayPal is obviously bad.

That said, I think we need to have an equivalent of automated integration testing for security vulnerabilities.

Even if PenTesters (or whatever they're called these days) do some testing and uncover some bugs, the applications under continuous development will inevitably introduce "bugs" not seen before.

paypal is still around? I haven't seen any "accepts paypal" / paypal / checkout with paypal since around 2023 and the realization of it makes me unreasonably happy.

love the update at the bottom. 'our systems were not compromised' doing a lot of heavy lifting for 'a code change exposed SSNs to unauthorized individuals for six months.

Irrelevant to the current breach, but at the end of the article...

> In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.

> Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.

I didn't hear about this New York case. I'm the first to lament the incredibly sorry state of affairs of data security, to the extent that such security exists at all, but it is insane that you can get fined $2,000,000 for your customers re-using e-mail + password combinations between sites and becoming compromised as a result. I truly loathe mandatory 2FA with every fiber of my being and I guess New York would like to enforce it on the world? Sigh. Everything about the internet just gets worse and worse, continuously.

They still exist!? I just don't use any merchant that lacks the "checkout with apple pay" or "checkout with amazon" button. Too much trouble.

There should be legal penalties for failing to inform users in a timely fashion. A 6 month delay is ridiculous. They put all their users at risk.

Imagine when Palantir gets hacked.