PayPal Says 1.6 Million Customer Details Stolen In Breach At Canadian Subsidiary

New submitter Kargan shares a report from BleepingComputer: PayPal says that one of the companies it recently acquired suffered a security incident during which an attacker appears to have accessed servers that stored information for 1.6 million customers. The victim of the security breach is TIO Networks, a Canadian company that runs a network of over 60,000 utility and bills payment kiosks across North America. PayPal acquired TIO Networks this past July for $238 million in cash. PayPal reportedly suspended the operations of TIO's network on November 10th. "PayPal says the intruder(s) got access to the personal information of both TIO customers and customers of TIO billers," reports BleepingComputer. "The company did not reveal what type of information the attacker accessed, but since this is a payment system, attackers most likely obtained both personally-identifiable information (PII) and financial details." The company has started notifying customers and is offering free credit monitoring memberships.

Oh great. There goes a ton of e-commerce.

[Seven Spirals]

Wonderful. They have my bank account numbers and transfer authorization. If they get owned, I'm gonna get fucked like a housecat. I think I'm going to have to switch Paypal's funding source to a pre-paid card or something. Just more hassle to *try* and keep them from wiping my main accounts. For a while I thought the guys who bought gold and stuffed it into a safe deposit box were crazy. Now it looks like I'm the one who is crazy for trusting any of this Rube-Goldberg machine of e-commerce and e-payments to

Re:

[110010001000]

How would having your bank account number be an issue? It isn't a secret. Just close the account.

Re:

[Gr8Apes]

Why would you ever give them access to your main account? This should be a miniscule account with the sole purpose of funding your paypal purchases.

Re:

[Mashiki]

Why would you ever give them access to your main account? This should be a miniscule account with the sole purpose of funding your paypal purchases.

Because in Canada, quite a few businesses allow you to pay with paypal directly from your business account similar to the way CoD chequeing used to work. Especially since you can set your account to escrow shipments/payments like that. Some people are quite happy to have their accounts setup that way because it's easier then running multiple accounts. Especially with the huge banking fees up here, you know like having $5k in a personal account is the requirement for 0 service fees? It's $40k in a busine

Re:

[Gr8Apes]

Credit unions and the like are your friends, in these cases. I actually utilized an old account in a credit union completely separate from my main banking needs for Paypal. There's 0 possibilities for Paypal to tie into any significant amount of cash. Note that with a run rate of more than $1K a month on average, you should have at least 4-6K in the bank anyways for emergencies. So if you create a secondary account for Paypal, most banks will not charge you extra fees for that account, as long as it is not

Re:

[cyberchondriac]

This. I learned to do that the hard way, after someone in Toyko charged my account $500 for a hotel room 3 years ago.
So now I have a separate checking account which I keep nearly empty; I have it tied to the bank account via a MAC card rather than the account routing number, that's much easier to cancel and change my bank told me. Then when I want to buy something with Paypal, I log into my bank, do a quick transfer of just the funds that I need, and then make the purchase.
This way, scammers are going to

Re:

[ShanghaiBill]

How would having your bank account number be an issue? It isn't a secret.

It was never a secret. It is printed on your checks. Everyone you have ever transacted with could see it.

Maybe we should fix our financial system so that it doesn't rely on the same information being both widely known and secret.

Re:

[ZorinLynx]

Make sure you have overdraft "protection" turned off and that the accounts are not "linked".

If you have it turned on, and someone tries to transfer thousands of dollars from that account, the transfer might succeed, the balance withdrawn from another account. This has screwed people over before, with fraud removing a large amount of money from savings even though checking only had a hundred of so dollars in it.

Overdraft "protection" is a horrible idea. Not only does it allow money to be removed from a diffe

Re: Oh great. There goes a ton of e-commerce.

[c6gunner]

That's ... not overdraft protection. I don't know WTF that is. Might be a feature called "please merge all of my accounts and don't tell me about it". I dunno what it is because nobody ever told me about it, but I do know what overdraft protection is, and that's not it.

Overdraft protection just allows your account to go into the negative. So if I have $100 in the account, and $1,000 worth of overdraft protection, then the thief could withdraw $1,100 and I would owe the bank $1,000. It's basically like

Am I safe?

[goombah99]

Is this confined to Canada or did it leak to other companies? 1.6Million sounds like a small number of accounts. But as we saw with Yahoo, breach reporting tends to be an underestimate.

Paypal is my most dangerous account since it's hooked to live bank accounts so I use my best passwords for it.

Re:

[ShanghaiBill]

Paypal is my most dangerous account since it's hooked to live bank accounts so I use my best passwords for it.

This has nothing to do with your Paypal account.

The leak occurred in a subsidiary company that processes utility payments in Canada.

Re:

[tlhIngan]

Is this confined to Canada or did it leak to other companies? 1.6Million sounds like a small number of accounts. But as we saw with Yahoo, breach reporting tends to be an underestimate.

Paypal is my most dangerous account since it's hooked to live bank accounts so I use my best passwords for it.

Your Paypal account is safe. What happened was TIO Networks was breached. Paypal acquired TIO Networks in July of this year and discovered the breach.

Paypal itself was not breached, and if Paypal wasn't acquiring the

We don't want credit monitoring services

[Archon]

We want companies to secure our data and face significant hardship when they fail.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:From TFA

[zm]

It seems that the breach was not of Paypal network but of TIO network which paypal acquired in July 2017

Yeah, but what's the point of reality when you can have a clickbait headline?

Why this is much worse than you think

[Buck Feta]

... it's not. It's just a bullshit clickbait title. /. Is no better than BuzzFeed. Fucking garbage. For shame.

Well....

[MerlTurkin]

I don't use my bank account on Paypal (I'm not that stupid), only a credit card so if I see something wrong I can call and they'll take care of it.