Q: I suddenly started getting security pass codes from PayPal even though I wasn’t using it. Does this mean someone has my password and is trying to get in?
A: It can be quite disconcerting to get a random message from a service provider with a security code, but you’re experiencing one of the benefits of two-factor authentication.
Because you have registered your cellphone number as a secondary validation to your password, whenever the system detects unusual activity it will send a special code that must be used to gain access to the account.
There are a variety of nefarious and legitimate activities that could be generating the security text message, but to play it safe, I’d change the password immediately.
Was it really PayPal?
If you are getting “security codes” from a standard 10-digit phone number, it isn’t PayPal at all.
PayPal text messages will come from a “short code” such as 729-725, and you should also be able to see previous messages from their system.
Someone Has Your Password
If the code is coming from 729-725, that is PayPal’s messaging number, so someone may have your sign-in credentials.
If you use the same password on other accounts, or you haven’t changed the password for many years, there are a variety of ways that someone could have acquired your password.
When hackers discover a legitimate password for any online service, they often employ bots that will try the same username and password on thousands of other websites in a matter of seconds.
If this is what happened to you, then PayPal generated the special code because the system did not recognize the device/location/browser that was used by the hacker’s bot.
The extra layer of security provided by two-factor authentication kept them from accessing your account and alerted you that someone was trying to get in.
Changing your password to something you have never used before will protect you from this type of unauthorized access and should stop the security messages.
Be aware: There is a related scam in which someone calls you claiming to be from PayPal security and asking you for the code that was just sent to prove you are the rightful owner. This is nothing more than a ploy to trick you into giving them the code they need so they can take over your account.
Forgotten password attempt
If you changed your password but continue to get these security code text messages, it likely means that a bot that never had your password is trying to use the password reset system to get in.
This is another scenario where someone may call you claiming to be from PayPal security asking for the code they just sent.
If you use PayPal to automatically pay other services, it’s possible that the automated billing process for the third party is attempting to process a payment, but can’t without the security code.
If you aren’t sure, check the transaction history in your PayPal account to determine whether you have any connected accounts, so you can manually update the payment information for that connected service.