Update: As readers point out in the comments, it looks like this is somewhat limited in that only a few gift cards appear. My counter is that these shouldn’t be appearing at all (at the very least they should be noindexed on google). The URL’s do use a secure hash as well.
Earlier we posted about an issue with Paypal Digital Gifts and the fact that a lot of people reported that their balances had been zero’d out. Reddit user mgoulart noticed that you can do a simple google search and both the e-mail address and gift card code will appear when you click the results. For example, here is a page I was able to access even though I didn’t purchase this gift card:
Now I’m not 100% sure that these are valid gift card codes (I didn’t want to try to use a code in case they are), or if this is some sort of test accounts or similar by Paypal Digital Gifts – but on the surface this doesn’t look good. For the time being I’d avoid making any purchases from Paypal Digital Gifts. It might also be possible that this breach is only affecting previously purchased gift cards. It would be good if Paypal would officially comment on this issue.
