PayPal is investigating an incident in which a user’s account was compromised and used in a thwarted attempt to send money to a dead ISIS hacker.
Despite the use of two factor authentication, a cybercriminal was reportedly able to log into the account of independent security researcher Brian Krebs and add an unauthorized email account, not once, but twice, on Christmas Eve 2015.
A PayPal spokesperson told SCMagazine.com via email it appears the company’s standard procedures were not followed in this case, but didn’t specify whether Krebs or PayPal was at fault.
“While Mr. Krebs’ funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again,” the spokesperson said.
The security researcher notified the online payment service of the initial unauthorized email change and was assured that his account would be monitored. However, the account was again compromised. The hacker added the same email account and changed the password and allegedly attempted to send money to an ISIS hacker who was killed in a drone strike earlier that year. The account was then shut down.