Teenage Researcher: Your PayPal Account Can Be Hacked

Can PayPal account be hacked?

Can your PayPal account be hacked? You may think your PayPal account is secure, but think again.

Even if you’ve signed up for PayPal’s Security Key feature, you still need to ponder the safety of your account.

An Australian researcher — just 17 years old — says it’s easy, for a hacker at least, to get around PayPal’s two-step (or two-factor) authentication precautions. Security Key is PayPal’s add-on that sends you a text message to your phone with a second security key needed to access your account.

In the security section of the official PayPal website, the company explains:

“The PayPal Security Key gives you a second authentication factor when you’re logging in to your account. In addition to your password, you enter a One Time Pin (OTP) that is unique for each login. These two factors give you stronger account security.”

But that’s not so as Joshua Rogers tells PC Magazine. The problem with PayPal’s Security Key feature is connected to eBay. And a hacker only needs a user’s eBay and PayPal login credentials to access the account holding the money. If you authorize eBay to immediately withdraw its fees from your PayPal account when a sale is complete, your PayPal account could be vulnerable.

On his blog, Rogers describes:

“When setting this up, you’re (obviously) asked for your PayPal login. Once you’re actually logged in, a cookie is set with your details, and you’re redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don’t need to re-enter your login.”

PC Magazine notes that another loophole in this feature occurs when a person who has enabled Security Key doesn’t have a phone. If they can’t receive a text message with that second code, they can opt to answer two security questions. The magazine suggests that sort of information is readily available to hackers, too.

By going public with the flaw in PayPal’s security system, Rogers will miss out on any compensation for his discovery. PayPal actually offers a Bounty Program for researchers who alert the company to security flaws. Rogers tells PC Magazine that he told PayPal of his work in early June but nothing became of his alerts.

Remix of Shutterstock monitor image


Joshua Sophy Joshua Sophy is the Editor for Small Business Trends and the Head of Content Partnerships. A journalist with 20 years of experience in traditional and online media, he is a member of the Society of Professional Journalists. He founded his own local newspaper, the Pottsville Free Press, covering his hometown.

7 Reactions
  1. Thanks for this information.

    Getting hacked is not fun-it happened to one of my websites 3 times in the past couple of weeks.

    And, if PayPal is vulnerable….

    Sounds to me Paypal needs to go one step further.

    They make enough money to do this right.

    The Franchise King®

  2. I’ve known for a while that PayPal accounts can get hacked into, because I’ve read about it unfortunately happening to some people. Whether PayPal plans to/will do anything about the above vulnerability remains to be seen. They’ve had two months already.

  3. Aww, I don’t believe it. I just saw a commercial from them stating that they have security that is like your money being stored in a titanium safe protected by ninjas 🙂

  4. My account was recently hacked. Someone bought a phone from Russia. They froze my account but not before the transaction was processed.

    PayPal quickly reversed the charges and gave me a 10$ credit. They are currently investigating the theft.

  5. Obviously still not done anything about this problem. I was hacked 19/12/17 and caught on straight away. Four transactions for a total of £980. I was able to contact Amex and Ebay fraud teams immediately and they were great but an automated Paypal message stated ‘we can speak to you in one hour and four minutes’ REALLY. I could even see thee address the items were being sent to. Managed to stop two but the other two went through. Seems i was the only one really bothered.

  6. My PayPal was hacked way back in January and I didnt catch on until last night. Thank god that lululemon has a order history that you can look into because that’s where I saw it! I am calling them today. Wish me luck!

    • Would you mind telling me what happened to your issue Darcey, I got mine hacked just today, I saw mine on my online banking there is a charge of $1333 for computer games. All of the charges are still on hold, hopefully they’ll be able to do something about this immediately.

Win $100 for Vendor Selection Insights

Tell us!
No, Thank You