Watching the recent PayPal Outage and Red Flag Glitch I noticed a few reports of a very troubling situation; members reported they had logged into completely wrong accounts. Other member’s accounts. Mostly on mobile. I haven’t seen any more since 04-05, but it sure looks like something very serious if more of the same continues.

Here are the reports, followed by the obligatory screencaptured images of the same, as a composite image.

Re: Risk Alert message
Apr 5, 2012 03:45 PM

Last night, when I tried logging into my Paypal account from the Paypal Mobile applet on my phone, the PIN login failed.  I tried it twice and it failed both times.  So I tried logging in from my phone with user alias and password, and it worked, BUT I got someone elses account.!!   I could see transactions that were clearly NOT mine.

Freaking out, l went to my laptop and logged in.  Everything looked fine on the laptop.

I called Paypal to tell them about it.  The first person I spoke with was of no help.  He told me “all is well”.  While on the phone with him, I logged-off then relogged-in to Paypal on my phone.  the PIN login kept failing and when I tried the email alias/password, it worked and it appeard he was right – all was well.   We hung-up.

But all was not well.  On the phone, I logged-off then logged back on.  It seemed to work, but connected me to somoene elses account again.

So, back on the laptop, I go through the process to call paypal again.   I enter the one-time passcode and wait on hold.  Menawhile, I return to the Paypal account overview screen only to see $2000 has been sent from my account to a “NON-US – Verified” user: connor.hart@me.com.

When they answered, I spoke with a lady who seemed to understand exactly what I was telling her.  She had me open a claim against the unauthorized transaction, gave me her name and employee#.

Without going into details, she confirm that they had seen this activity begin about 45 minutes prior to talking with me.  I got the perception from her that this was a sudden attack via the APIs used by the Paypal Mobile applet.

Back on my laptop, I then changed my password and security questions/answers, and unregistered my phone from the paypal account.

All of that transpired over about 35-40 minutes beginning about 11 pm CST last night.
This morning about  11 am CST, I called Paypal to enquire.  They said they are looking into it.  Ok.
I just logged onto my Paypal account and see they have reversed the $2000 transfer.

THANK YOU PAYPAL!!!

from ecommercebytes blog:

Thu Apr 5 23:25:04 2012

I kid you not, this happened to me last night around 11:00pm eastern time:

I logged in to PayPal to check the progress of a transfer from my chequing account to PayPal ($50…only transaction ever made, new account). All I saw was a crap load of transactions! Payments incoming and out going! I thought I was hacked! I looked at the top of the screen and saw that it wasn’t even my account! I used MY log in info! I quickly logged out. I logged back in. This time it was MY account…but it stated I had over $900 available! Then my cell died (was using my cell)! I plugged it in and logged in AGAIN! This time it said $50 was still being processed…thats more like it! WTF! What was THAT all about?!!

There were also several reports of the same on twitter, under the search someone else’s paypal.

Image

As far as fallout from the Red Flag Glitch, my best guess is that users should all expect to have their funds held, as now you’ve all been flagged as risks,

Paypal User Agreement states “Further, you acknowledge that PayPal’s decision to take certain actions, including limiting access to your Account by placing holds or imposing Reserves, may be based on confidential criteria that are essential to our management of risk and the security of Users’ Accounts and the PayPal system. You agree that PayPal is under no obligation to disclose the details of its risk management or its security procedures to you.”

Expect more weasel words and squirming, Paypal users.