So, my PayPal account has a security token in 1password, and a pass key enabled. No phone number is associated with it because SMS 2fa is the devil and if a number is attached there is no turning that off. It also has an app-specific password, and without one of those forced-on 2fa options, you just can’t log in.

I have not logged into PayPal in weeks or maybe months, when last week I got an email confirming my password has been successfully changed at my request.

What?

So I look at the email, and it’s legit. Not spoofed, valid headers, valid spif/dkim, everything. So I hop on my main computer, go to PayPal.com manually (ie. not using the link in the email, out of an abundance of caution), and sure enough, I can’t log in.. invalid password.

I do a password reset flow, it sends me an email asking me to confirm the password change (which I did NOT get when I got the confirmation earlier) I confirm it, and now I can log in fine.

I see no suspicious activity on my account, I see nothing weird at all. I change my password AGAIN, confirm it again via email, issue the command to kill all active sessions but this one and log out all devices, kill my security token and generate a new one, add that new one back to 1password, log out, and call it a a day, because it was after hours and PayPal support was closed. Unfortunately, over the next few days life got wild and I forgot to follow up.

Now, today, i get an email “we see suspicious activity on your account. your password has been reset as a precaution and you must change it before logging in”.

Again, email is legit.. go to PayPal.com, cant login. Tells me I must reset my password, so I do. It has me verify some personal info, then lets me set a new password (one of those verifications was SSN.. the fact I can type in JUST my SSN alone and BOOM it accepts me for who I am is TERRIFYING, given the Equifax breach. Matching an SSN to an email is trivial now days!)

So I change it. No suspicious activity inside, I tell it to log out all sessions as well when prompted if I wanted to.

This time I call PayPal, get someone who is barely able to understand what I am explaining but she eventually gets the gist of it. She asks me all the usual boneheaded lack-of-security-awareness questions. Are you sure you haven’t used public wifi? You sure your password is unique? Are you POSITIVE no one in your household knows your password? etc…

I finally get through her script and she puts me on hold and comes back with a “There is definitely a suspicious IP address here that is 100% not related to you no matter where you’ve been this week”

…okay….. so I ask what the IP address is, and she refuses to tell me. Says she can’t disclose the IP for security & privacy reasons. WTF?!!? privacy? ITS MY BLOODY ACCOUNT!

Best she can do is open an investigation case into why my account keeps being accessible by this IP even though I have 2fa on, because she doesn’t know why and has no answers. So the security team has to look into it, she gives me a case number, and tells me to sit tight and wait 5-7 business days for an update.

Naturally I went back in and stripped my account down and removed all bank and card info from it for the time being, just to be safe. Only thing on there is a Visa gift card with a $5 balance, lol.

Then, 30 minutes later I get a voicemail (spam filter sent it straight there). The inbound number belonged to PayPal, and it was asking me to “Call them back about my open case” and instructed me to call the same exact number I had called previously, a number that I know for sure is theirs.

I call them back, and the first person I speak to tells me they have no record of calling me or a reason for them to ask me call them back. I immediately ask to speak to a supervisor because at THIS point, this is getting ridiculous. Something is clearly up on their side and I don’t trust it. He puts me on hold to find a supervisor, before returning and telling me “Actually, it turns out I have just learned we are having a known technical issue right now with one of our systems erroneously sending out those calls. You can safely ignore it and wait for an update to your case from us.”

Uhhh… yeah no. I ask to speak to a supervisor again. He again tells me they will tell me the same thing, but I persist and finally he relents and puts me back in the queue for one.

I get a supervisor who is coming in cold, so I retell the whole story of how I got here. He starts off repeating the same thing “as to the voice mail… system error… ignore it… etc etc”. Then confirms he can see my open case, and that their Back Office team has already accepted the case and begun working on it. He says it’s not complete enough for any updates to share and I need to wait for them, but that he can see that they have already confirmed that yes, someone other than me has 100% attempted change my password, multiple times. However, they can also confirm this person has never been able to log into my account, and that they are being stopped by my 2fa. I ask him how this is possible, since I can’t change my password myself without getting an email asking me to click to confirm before it completes. He says that’s unusual and either my email is compromised (yeah, no, don’t think so. My gmail is hardware 2fa only) or this is happening via an unknown means, which is what the Back Office security team is currently investigating, and that I need to just wait to hear back from them in 24-48 hours.

I don’t know… all of this to me sounds more like they are in the process of being messed with by someone, and don’t know enough about it yet to actually understand what’s happening… either that or I have really really pissed someone off and made myself a huge target for someone with a lot of free time on their hands?