I received a payment request today in the Paypal Android mobile app from someone I've never heard of or bought anything from. The app displayed a statement something like "If you don't know this seller, call this number" and included this number:&nbs[Removed. Phone #s not permitted]
I called the number (since it was presented in the actual Paypal app) and it was answered by someone w/an Indian accent. He asked to confirm my email address so I gave it to him, and then he said he would send me a security code that I would provide him to confirm my identity. The code arrived on my phone via text, and I gave it to him. (I think a mistake.)
He then said something about securing my account (accent was very difficult to make sense of) and told me to go to my browser and log into a third-party site - something like "mrpro.org" or similar. That sounded completely strange/wrong, so I hung up on him. I went back to look at the text I had received and then realized it was a password reset code that had arrived, not a general security code. Crap.
Was freaked out for a moment when I couldn't log into my account, but was able to do a quick password reset and changed my account PW. Then removed all my payment methods from paypal, and all my recurring payments. There are no new email addresses or phone numbers listed on my account.
After I hung up on the call a bunch of payment requests appeared in my account that hadn't been there before. I have requested all of those to be cancelled and they all say "Cancelled - Request sent."
So I think I was hacked, and my fault, I didn't read the text that arrived and see it was a PW reset text rather than a general security code. DOH.
My remaining issue (at least I think this is my last remaining issue) is that I have biometric passkeys set up on two known Android devices (mine and my wife's) and in spite of choosing the option on the Paypal web site to log out of all devices, and having changed my Paypal password, those two devices persist on allowing log-in via fingerprint. My expectation is that they should have to re-authenticate, but they are not requiring that.
Appreciate any help/comments.
