Assume it's a false positive for fraud. If you have false positives in your fraud detection and refuse to explain the situation to customers so they can refute the claim, how do you ever fix your broken detection system? Do you simply claim you're batting 1000 and call it a day?<p>I just logged in to PayPal a couple days ago using my residential IP (unchanged for 2 years), a random (strong, unique) password, and a Yubikey only to be told suspicious activity on my account required me to change my password. From my point of view they randomly picked something they think is suspicious and it triggered something somewhere I guess? Is it suspicious login activity / attempts or suspicious activity like the person here is describing? Am <i>I</i> doing something suspicious or is a nefarious 3rd party doing something suspicious?<p>Thankfully I don't really use PayPal for anything important and I never will given the terrible stories I've hear for most of my adult life.