Anuj Nayar, Senior Director of Global Initiatives, PayPal

Through the PayPal Bug Bounty Program we were recently made aware of a potential way to bypass our two-factor authentication (2FA) log in process for a small number of our mobile products. As this researcher has chosen to share issue publicly and because your security is important to us, we wanted to share a bit more information with you.

First, we want to emphasize that all PayPal accounts remain secure. The workaround identified by the researcher is related to an extra layer of security (2FA) some customers have chosen to add to their PayPal account. Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way.

If you have chosen to add 2FA to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences. Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.

As a precaution we have disabled the ability for customers who have selected 2FA to log in to their PayPal account on the PayPal mobile app and on certain other mobile apps. These customers will still be able to log in to their PayPal account on a mobile device by visiting the PayPal mobile web site.

We know that our customers enjoy paying on mobile with PayPal and we do regret any inconvenience this may cause. Your security is our top concern and we will work as quickly as possible to resolve this issue for you.