Last week I started receiving SMS with PayPal security codes and then got a notification about someone adding a card to my account and withdrawing $1.5k.<p>2FA was disabled because it doesn't work in Safari (including logging in from their iOS app, imagine this), so I blamed myself, turned it on, reported the unauthorized transaction to PayPal… and had $1.5k more withdrawn to a newly added card two days later!<p>Apparently, there is an option of an SMS-based login(!!!) where they send you a 6-digit code that allows for a login without 2FA:
https://www.paypal-community.com/t5/Managing-Account/How-do-I-disable-one-time-codes/td-p/2835147<p>I don't know if the SMS gateway to my Chilean number is leaky or if they just brute-forced the code, but here we are. Also, no confirmation is needed to add new cards and make withdrawals even when 2FA is enabled.<p>(Yes, I know keeping money at non-bank payment services isn't good, but withdrawing it from there meant a conversion to my local currency which nowadays devalues much faster than USD. Greed got me.)