Security Codes being sent

SGoodman
Contributor
Contributor

Greetings,

 

I keep receiving text messages saying "Your security code is: [code] Your code expires in 5 minutes. Please don't reply."

 

Is someone trying to log into my account? How can I stop this?

 

I've already changed my password.

 

Thanks,

Shane.

Login to Me Too
72 REPLIES 72

efraindelarocha
Contributor
Contributor
Its possible you connected your PayPal account to something like mint experian rocket money or a number of other accounts and their computers are trying to access paypal. You wont know what service it is until you connnect to those services and figure out paypal has not been updating do to security issues at which point you need to remove it and added over again
Login to Me Too

Skuchenjia
Member
Member
For the more recent posts on this thread, and to ease some concerns, I have received several of these codes today as well. Both via text message and in email. They look legit, and I would guess that this might be a message sent when a user selects the "I forgot my password" button. So I would guess, someone, or a bot is probably sending forgotten password requests to a list of emails they've collected. My primary concern would be that maybe they have a way to access my email, which would then allow them to actually reset my PayPal password and access my account, but I am not immediately concerned for my PayPal account, because as long as I can log in, they have not been able to reset my password using the "forgot my password" option. It would be nice to get some feedback from Paypal staff on this matter, but these are my thoughts. I actually decided to test this theory before posting, and this is exactly what is happening. I select "forgotten password"and it asks for my email. Then it offers 4 options to confirm your identity, email a code, answer security questions, confirm your credit card number, or receive a code via text message. The same text message shows up from the same number as the messages I received this morning. So communications are most likely legit, but the request are not. It would be comforting if PayPal had an option to prevent password reset requests for a short period of time. By immediately giving options for resetting a password, they're confirming that or email is associated with a Paypal account. Perhaps would be hackers could be deterred by a policy that allowed us to change our password and then not allow a forgotten reset for a month. In this way, the hackers might try resetting again and they might then receive a message that indicates no account is associated with our email due to our recent password reset. Just an idea for user peace of mind.
Login to Me Too

Heyme1966
New Community Member

Well, here's another one. 2 codes sent in short succession. Got worried, removed my bank card from the account. Sent up 2-step verification.

Not much money for the rest in the account, and no suspicious transfers, so ignoring, going with the assumption someone entered wrong tel nr or email.

Account set up last year only, and not my regular email, so pretty weird and scary really.

Login to Me Too

yellapu
Contributor
Contributor

I received 4 sms today. I think someone must be trying to hack into the account. After reading your post which makes sense, I removed 3 of my credit cards linked to my pp account.  I think it is good for now. Cheers !!!

Login to Me Too

tickrian
Contributor
Contributor

Here's what's happening and why we are receiving these SMS's or emails:

 

  • Some Person, anywhere in the world, clicks "Forgot my password"
  • Paypal asks for their email address or phone
  • Person types an email or phone... and here is what the PROBLEM is:
    • if the person types email or phone, and if YOUR email or phone happens to be  what they typed, YOU will receive the security code. Now the Person could be entering it by mistake or deliberately, that's up for debate
  • This is a potentially a security hole that Paypal is ignoring, because it gives away (by confirming an account with that email or phone exists on PayPal system) your email or phone number to anyone!

Although you don't need to worry about receiving these, PayPal should NOT be doing it by default to alarm people with good accounts in order to satisfy the convenience of just about any walk-in person who demands a password reset at whim! And also, PayPal should have an option for us not to receive and be unncessesarily alarmed if our accounts are being hacked.

 

Thank you very much.

Login to Me Too

ak2766
Member
Member

Well, they only give away partial data:

  1. For mobile number, they give away the country code, the first digit, and last 4 digits - leaving the attacker to guess the other 4 digits (that 10,000 mobile numbers - 0000-9999)
  2. For email address, they give away the 2 characters either side of @ sign and the root domain (such as .com).

The legitimate account holder can verify this is correct and proceed to get the data they need to proceed.  The hacker just sits back and hopes the legitimate user will be inattentive and do the wrong thing by mistake.

 

As a legitimate end user, I'm happy with this.  If I do not recognize the info provided, it means I may have forgotten my email to start with and can at least go back and try a different email that leaks enough information for me to know I'm on the right track.

Login to Me Too

tickrian
Contributor
Contributor

First of all, it's not likely that your account is hacked, so relax.

 

Here's what's probably happening and why we are receiving these SMS's or emails:

 

  • Some Person, anywhere in the world, clicks "Forgot my password"
  • Paypal asks for their email address or phone
  • Person types an email or phone... and here is what the PROBLEM is:
    • if the person types email or phone, and if YOUR email or phone happens to be  what they typed, YOU will receive the security code. Now the Person could be entering it by mistake or deliberately, that's up for debate

While there is no cause for concern, this is potentially a problem, because it gives away (by confirming an account with that email or phone exists on PayPal system), your email or phone number to anyone who wants to know.


Although you don't need to worry about receiving these, PayPal should NOT be doing it by default to alarm people with good accounts in order to satisfy the convenience of just about any walk-in person who demands a password reset at whim! And also, PayPal should have an option for us not to receive and be unncessesarily alarmed if our accounts are being hacked.

 

Hope it helps.

Login to Me Too

Christophercox8
Contributor
Contributor
This is happening to me as well, had about 6 texts in the last 24 hours and changing password hasn't stopped it. I've added 2 factor authentication to my account but it's still concerning that someone appears to be attempting to log into my account
Login to Me Too

Rebarave
Contributor
Contributor
Same issue. What do I do? If they've gotten to the security code doesn't that mean they hacked your password?
Login to Me Too

Carl125
Contributor
Contributor

I've had over 100 messages giving me the same security number. How does it stop?

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.