PayPal’s official response

Yesterday, we posted about Brian Krebs’ PayPal account getting hacked on Christmas Eve and his claim that the hacker used social engineering to blow right by his two factor authentication:

I had two-step authentication (PayPal security key fob) enabled, and the attacker got past that. I don’t know if PayPal simply didn’t require it when the password was reset, but the point is that two-factor is kind of useless when someone can just call in and reset your password verbally by answering a couple of out-of-wallet questions.

Last night we got an email from a PayPal spokesperson with this official response:

The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.

Let’s hope they fix this quickly.