Great, who from PayPal is going to jail over this?
Insanity 2 hours ago [-]
So from the Article they claim:
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."
That does little to explain the 2 month-ish delay in disclosing it. I presume they could have disclosed _at least_ that account data was leaked even if the underlying bug wasn’t yet closed?
Obviously without disclosing the nature of the bug in that case.
malfist 1 hours ago [-]
It's one of those "suspiciously specific denials"
They didn't delay the release because of law enforcement investigation, it doesn't say they didn't delay the release. There's a whole host of reasons besides "law enforcement investigation" to delay an embarrassing release, including "I don't wanna"
sidewndr46 1 hours ago [-]
The quote is: "We have not delayed this notification as a result of any law enforcement investigation"
The obvious example here would be if the NSA or other agency that isn't law enforcement led the investigation.
But further abuse of the English language reveals a different conclusion. This was not delayed as a result of any law enforcement investigation. It could have been delayed as a result of a specific law enforcement investigation. Furthermore, the word "result" implies that it is tied to the conclusion of said investigation(s). It could in fact have been delayed because of a pending law enforcement investigation.
TitaRusell 13 minutes ago [-]
Hopefully WERO will finally wipe out PayPal in Europe. Despite the ridiculous name.
cmehdy 32 minutes ago [-]
> The company now offers affected users two years of free three-bureau credit monitoring and identity restoration services through Equifax, which require enrollment by June 30, 2026.
How tasteful.
SilverElfin 17 minutes ago [-]
I think all companies just believe security doesn’t matter because the worst thing that can happen is they offer to pay for a credit monitoring. And the victims are powerless to pursue a meaningful lawsuit against them. Even when that happens, it results in a class action settlement where lawyers get a bunch of money and victims get very little.
anonymous908213 23 minutes ago [-]
Irrelevant to the current breach, but at the end of the article...
> In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.
> Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.
I didn't hear about this New York case. I'm the first to lament the incredibly sorry state of affairs of data security, to the extent that such security exists at all, but it is insane that you can get fined $2,000,000 for your customers re-using e-mail + password combinations between sites and becoming compromised as a result. I truly loathe mandatory 2FA with every fiber of my being and I guess New York would like to enforce it on the world? Sigh. Everything about the internet just gets worse and worse, continuously.
josefritzishere 24 minutes ago [-]
There should be legal penalties for failing to inform users in a timely fashion. A 6 month delay is ridiculous. They put all their users at risk.
flipped 29 minutes ago [-]
This is the reason you should be using Monero. The benefits are extremely fruitful for everyone. Private, untraceable, full control over your funds, no breach possible.
_verandaguy 20 minutes ago [-]
These are often undesirable features for SMEs that need to be accountable for a variety of reasons, including KYC regulations; besides, while blockchains provide protocol-level security, they fail in two ways that do matter to consumers:
- They provide no meaningful consumer protections (since this necessarily requires an authority, which blockchains may not have)
- They don't protect at all against meatspace vulnerabilities like scams and other deception-based attacks, which are by far the more common issue in banking. This is exacerbated by the lack of consumer protections.
(To be clear: don't read my comment as being in support of PayPal. They have abused user trust for a while, and I haven't had an account there in over a year -- fuck 'em.)
draygonia 16 minutes ago [-]
Aside from it being an unstable store of value, but that's a problem with all cryptos (and stablecoins, when they collapse).
pennomi 19 minutes ago [-]
What percentage of businesses actually accept monero?
Rendered at 15:53:58 GMT+0000 (Coordinated Universal Time) with Vercel.
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."
That does little to explain the 2 month-ish delay in disclosing it. I presume they could have disclosed _at least_ that account data was leaked even if the underlying bug wasn’t yet closed?
Obviously without disclosing the nature of the bug in that case.
They didn't delay the release because of law enforcement investigation, it doesn't say they didn't delay the release. There's a whole host of reasons besides "law enforcement investigation" to delay an embarrassing release, including "I don't wanna"
The obvious example here would be if the NSA or other agency that isn't law enforcement led the investigation.
But further abuse of the English language reveals a different conclusion. This was not delayed as a result of any law enforcement investigation. It could have been delayed as a result of a specific law enforcement investigation. Furthermore, the word "result" implies that it is tied to the conclusion of said investigation(s). It could in fact have been delayed because of a pending law enforcement investigation.
How tasteful.
> In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.
> Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.
I didn't hear about this New York case. I'm the first to lament the incredibly sorry state of affairs of data security, to the extent that such security exists at all, but it is insane that you can get fined $2,000,000 for your customers re-using e-mail + password combinations between sites and becoming compromised as a result. I truly loathe mandatory 2FA with every fiber of my being and I guess New York would like to enforce it on the world? Sigh. Everything about the internet just gets worse and worse, continuously.
- They provide no meaningful consumer protections (since this necessarily requires an authority, which blockchains may not have)
- They don't protect at all against meatspace vulnerabilities like scams and other deception-based attacks, which are by far the more common issue in banking. This is exacerbated by the lack of consumer protections.
(To be clear: don't read my comment as being in support of PayPal. They have abused user trust for a while, and I haven't had an account there in over a year -- fuck 'em.)