11/01/2024
𝖯𝖺𝗒𝖯𝖺𝗅 𝖡𝗎𝗌𝗂𝗇𝖾𝗌𝗌 𝖠𝖼𝖼𝗈𝗎𝗇𝗍𝗌:
𝘈 𝘊𝘢𝘶𝘵𝘪𝘰𝘯𝘢𝘳𝘺 𝘛𝘢𝘭𝘦
Written by: Me
About a week ago, one of our PayPal business accounts was hacked / hijacked. A rather largish sum of USD was transferred to a bank in China. A bank account had been added to the account without our knowledge or authorization.
With the help of PayPal, we did get everything back. We went through the whole retinue of changing the account password (multiple times, as a second withdrawal occurred after the change), the email account password (multiple times, after the third unauthorized withdrawal), etc, all in coordination with an actual human at PayPal.
Just about an hour ago, we found yet another withdrawal, to the bank account that we'd repeatedly deleted from the account, finding it once again there and siphoning cash. After much swearing among the household, I took a look at the account, and found the actual root of the problem. In the initial "hack", an additional "USER" had been added to the account, with full administrative privileges. You can see the page below where I found that important piece of info. The piece that PayPal never even mentioned possible existing. Their business accounts allow for multiple users, with different levels of access. This thief gave themselves complete access, through that email address. Even with the password changes, adding two-factor authentication, etc, they still had full use of the account. PayPal *totally* missed it. Kudos to them for actually getting us a person, in very short time. Yet they should still be flogged publicly for missing such an obvious back door. Truthfully, I'm quite mad at myself that it took me over a week to find it myself.
But I think we're on safe(-ish) ground again. If you're a business owner, keep a close eye on your accounts. I highly suggest using PayPal *only* as a pass-through to your real bank account. Which reminds me - as that account is linked to your bank, a surreptitious user (like ours did) can try to pull money out of there, too....
Scared enough now???