PayPal Says 1.6 Million Customer Details Stolen In Breach At Canadian Subsidiary

New submitter Kargan shares a report from BleepingComputer: PayPal says that one of the companies it recently acquired suffered a security incident during which an attacker appears to have accessed servers that stored information for 1.6 million customers. The victim of the security breach is TIO Networks, a Canadian company that runs a network of over 60,000 utility and bills payment kiosks across North America. PayPal acquired TIO Networks this past July for $238 million in cash. PayPal reportedly suspended the operations of TIO's network on November 10th. "PayPal says the intruder(s) got access to the personal information of both TIO customers and customers of TIO billers," reports BleepingComputer. "The company did not reveal what type of information the attacker accessed, but since this is a payment system, attackers most likely obtained both personally-identifiable information (PII) and financial details." The company has started notifying customers and is offering free credit monitoring memberships.

Oh great. There goes a ton of e-commerce.

[Seven+Spirals]

Wonderful. They have my bank account numbers and transfer authorization. If they get owned, I'm gonna get fucked like a housecat. I think I'm going to have to switch Paypal's funding source to a pre-paid card or something. Just more hassle to *try* and keep them from wiping my main accounts. For a while I thought the guys who bought gold and stuffed it into a safe deposit box were crazy. Now it looks like I'm the one who is crazy for trusting any of this Rube-Goldberg machine of e-commerce and e-payments to be somewhat secure.

Re:Oh great. There goes a ton of e-commerce.

[110010001000]

How would having your bank account number be an issue? It isn't a secret. Just close the account.

Re:Oh great. There goes a ton of e-commerce.

This has nothing to do with your Paypal funding source or anything related to your Paypal account.

This is a website OTHER THAN paypal.com. Paypal is mentioned in the summary because TIO is owned by the same company as paypal.com

From the linked article:

The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure.

Re:Oh great. There goes a ton of e-commerce.

I've been using a completely separate account for years. They'll get $100 if they get anything.

Re:Oh great. There goes a ton of e-commerce.

[ZorinLynx]

Make sure you have overdraft "protection" turned off and that the accounts are not "linked".

If you have it turned on, and someone tries to transfer thousands of dollars from that account, the transfer might succeed, the balance withdrawn from another account. This has screwed people over before, with fraud removing a large amount of money from savings even though checking only had a hundred of so dollars in it.

Overdraft "protection" is a horrible idea. Not only does it allow money to be removed from a different account, but they charge you a free for the privilege. It is FAR better for a mistake to cause a transaction to be declined than to expose your entire balance at a specific bank through a single account number.

Re:Oh great. There goes a ton of e-commerce.

[Gr8Apes]

Why would you ever give them access to your main account? This should be a miniscule account with the sole purpose of funding your paypal purchases.

Re: Oh great. There goes a ton of e-commerce.

[c6gunner]

That's ... not overdraft protection. I don't know WTF that is. Might be a feature called "please merge all of my accounts and don't tell me about it". I dunno what it is because nobody ever told me about it, but I do know what overdraft protection is, and that's not it.

Overdraft protection just allows your account to go into the negative. So if I have $100 in the account, and $1,000 worth of overdraft protection, then the thief could withdraw $1,100 and I would owe the bank $1,000. It's basically like having a really crappy credit card as backup for your chequing account. It does not pull anything from any other accounts, it just puts your balance in the negative.

Re:Oh great. There goes a ton of e-commerce.

[ShanghaiBill]

How would having your bank account number be an issue? It isn't a secret.

It was never a secret. It is printed on your checks. Everyone you have ever transacted with could see it.

Maybe we should fix our financial system so that it doesn't rely on the same information being both widely known and secret.

Re: Oh great. There goes a ton of e-commerce.

It always seems like the honest guys end up on the wrong end of bank rules and regs. I can't count the number of times people have sucked money from my account using cheques which i've been unable to reverse. Yet when other people pay me, they seem to have no trouble scamming me and charging back. Same deal with credit cards. I just wish there were consistant published rules across banks. Instead i switched to bitcoin years ago.

Re:Oh great. There goes a ton of e-commerce.

[Mashiki]

Why would you ever give them access to your main account? This should be a miniscule account with the sole purpose of funding your paypal purchases.

Because in Canada, quite a few businesses allow you to pay with paypal directly from your business account similar to the way CoD chequeing used to work. Especially since you can set your account to escrow shipments/payments like that. Some people are quite happy to have their accounts setup that way because it's easier then running multiple accounts. Especially with the huge banking fees up here, you know like having $5k in a personal account is the requirement for 0 service fees? It's $40k in a business account at the big 5 in Canada(TD, BMO, CIBC, Bank of Nova Scotia, Royal bank).

Re:Oh great. There goes a ton of e-commerce.

[cyberchondriac]

This. I learned to do that the hard way, after someone in Toyko charged my account $500 for a hotel room 3 years ago.
So now I have a separate checking account which I keep nearly empty; I have it tied to the bank account via a MAC card rather than the account routing number, that's much easier to cancel and change my bank told me. Then when I want to buy something with Paypal, I log into my bank, do a quick transfer of just the funds that I need, and then make the purchase.
This way, scammers are going to be trying to get blood from a stone unless they have miraculous timing.

Re:Oh great. There goes a ton of e-commerce.

[Gr8Apes]

Credit unions and the like are your friends, in these cases. I actually utilized an old account in a credit union completely separate from my main banking needs for Paypal. There's 0 possibilities for Paypal to tie into any significant amount of cash. Note that with a run rate of more than $1K a month on average, you should have at least 4-6K in the bank anyways for emergencies. So if you create a secondary account for Paypal, most banks will not charge you extra fees for that account, as long as it is not underfunded for when you do purchase something.

Am I safe?

[goombah99]

Is this confined to Canada or did it leak to other companies? 1.6Million sounds like a small number of accounts. But as we saw with Yahoo, breach reporting tends to be an underestimate.

Paypal is my most dangerous account since it's hooked to live bank accounts so I use my best passwords for it.

Re:Am I safe?

[ShanghaiBill]

Paypal is my most dangerous account since it's hooked to live bank accounts so I use my best passwords for it.

This has nothing to do with your Paypal account.

The leak occurred in a subsidiary company that processes utility payments in Canada.

Re:Am I safe?

[tlhIngan]

Is this confined to Canada or did it leak to other companies? 1.6Million sounds like a small number of accounts. But as we saw with Yahoo, breach reporting tends to be an underestimate.

Paypal is my most dangerous account since it's hooked to live bank accounts so I use my best passwords for it.

Your Paypal account is safe. What happened was TIO Networks was breached. Paypal acquired TIO Networks in July of this year and discovered the breach.

Paypal itself was not breached, and if Paypal wasn't acquiring them, it wouldn't even be a part of the topic. However, since Paypal did acquire them, they discovered 1.6M TIO Networks accounts were breached.

It's confusing, but Paypal itself was fine. Paypal just found a breach in one of the companies it recently acquired.

Free Credit Monitoring Memberships

A Free Health Club Membership would be much more useful.

We don't want credit monitoring services

[Archon]

We want companies to secure our data and face significant hardship when they fail.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:From TFA

[zm]

It seems that the breach was not of Paypal network but of TIO network which paypal acquired in July 2017

Yeah, but what's the point of reality when you can have a clickbait headline?

Re: From TFA

Something happened to this site a couple years ago and it's sad.

Re: From TFA

Something happened to this site a couple years ago and it's sad.

Some people drove CmdrTaco and RobLimo away years ago. Plus the hipsters seem to have taken over /. anyway. I fondly recall the good old days of 1999.

Why this is much worse than you think

[Buck+Feta]

... it's not. It's just a bullshit clickbait title. /. Is no better than BuzzFeed. Fucking garbage. For shame.

Re:Why this is much worse than you think

What do you expect? slashdot began its slow slide into irrelevance over half a decade ago now. They need to grab every click they can before the sun completely sets on them as more and more people realize just how much better the modern alternatives to this dinosaur of a site actually are.

Well....

[MerlTurkin]

I don't use my bank account on Paypal (I'm not that stupid), only a credit card so if I see something wrong I can call and they'll take care of it.