Yup, it’s option 1, but there is a bug in the password reset email process which sends the email to a different account under certain circumstances. The important thing is for PayPal to fix it immediately. It’s embarrassingly easy, if opportunist.
Having discussed it with an ex-paypal engineer, it may not be a problem in all regions, as other security features would provide a second level of authentication before changing password, but that won’t help the millions who are in the region(s) effected. That’s probably the first fix they should do in any regions where they don’t already.
Obviously they also need to fix the bug in their emailer, but if they had second level authentication during password reset, this would not have opened the door.I should refine the above slightly, in that it was always clear that only a minority of users would be vulnerable in this way, but at one point I estimated it to be possibly as high as a third, but now I think it’s fewer due to reasons that I can’t disclose until the problem has been fixed (sorry, but I’m trying to be responsible.). The actual number of people effected will probably turn out to be thankfully, quite small, but it’s not because the system is secure, it’s just that other factors will restrict the ability of mass exploitation. I’ll explain this when it is safe to do so, but it’s fairly mundane so don’t get to excited.
Article source: TNW http://feedproxy.google.com/~r/TheNextWeb/~3/pTcJvqCknGg/