Paypal should literally pay upwards of $100k for a bug like this. This is a game changing systemic security issue putting literally every single customer at risk, as well as put at least a minor dent in a the brand of a $40 billion dollar company. $10k is a joke.<p>Wouldn't say $10k isn't nice. Rather, I'd say that history has told us people are susceptible to money. And if someone can choose between $10k and selling information worth much more, let's just conservatively say without pulling numbers from my ass, people would choose the latter option more than Paypal ought to want them to, and that this costs them way more than the $10k they'd otherwise lose. I think that's a pretty fair statement.<p>Anyway, about the issue itself... Really don't know what to think, it's pretty insane, puts a lot of things into perspective once more. (the whole 'if Paypal can't secure xyz, can my local hospital keep my health records safe, am I equiped to handle my own digital security responsibilities?' train of thought).<p>Oh if anyone feels like thinking this through, how bad do you guys think this hack could have turned out if deployed by a malicious group? Paypal is pretty walled in with various limits, fraud checks, frozen accounts, multi-day bank transaction processing, reversible transactions, partnerships with banks to do chargebacks there, and they do KYC on every account. The offramps are therefore pretty limited unless you completely expose your identity. Of course they could buy a ton of stuff online, but how anonymous would the shipping be, and what could you buy with Paypal that would be liquid enough, would ship quickly and could be received fairly anonymously (you don't want to use this hack and end up with 100 playstations and on 3-day shipping to your own home and have police arrive before the goods do!). I wonder what the best plan of action would be, I can't really come up with any solid way to actually walk away, anonymously, with a ton of money but surely there must be one. Indulge me if you want!