In screenshots posted to Imgur, a PayPal user who was having problems accessing their account had received assistance from support representatives via direct message on Twitter.
However, while social media as a support system isn't at all uncommon, the solution to the account access issue is a serious problem – PayPal's support staff disabled multi-factor authentication during the DM conversation.
What's more, the level of authentication required consisted of the account email address, and nothing more.
Below, the images show the reset and the fallout after, including a reject bug bounty notice, as Social Engineering isn't considered a flaw that's worthy of a reward.
That's understandable, but interesting. There's no escaping the fact that Social Engineering is exactly how most PayPal accounts are compromised.
PayPal support staff are quick to help users online and via the phone, and security is an important aspect of their jobs - one they take seriously. Anyone who has ever called into PayPal has played the twenty question game, a process that's used to verify a person's identity.
However, while the images posted online appear to show a customer with a previously recorded support issue, two-factor authentication (2FA) shouldn't have been disabled via social media, the better option would be to keep this level of troubleshooting to the phones.
Salted Hash reached out to PayPal for comment before this story ran. Late Friday afternoon, a spokesperson sent the following:
"PayPal takes the security of our customers very seriously and has put many measures in place to safeguard their accounts. While 2FA is an important, additional security measure, it is not the only way we protect our customers.
"If 2FA is found to be preventing a customer from using their PayPal account we support them in suspending this feature, if requested. We also have multiple ways of verifying the authenticity of customer's identity before taking any action on their account. We have carefully reviewed this exchange and have determined that the identity of this customer was properly identified by the agent involved.
"We will evaluate our procedures around identifying customers who contact us via social media channels to ensure proper authentication. We regret any frustration or confusion this situation may have caused the customer."