Klarna Users Report Being Able to Access Other People’s Accounts and Data

• Swedish payments platform Klarna has suffered a security breach incident they disregard as merely an “inconvenience.”
• Users who attempted to log into their accounts via the mobile app ended up accessing other people’s profiles.
• Klarna maintains that this affected only 0.1% of its userbase for only 31 minutes and that the incident doesn’t constitute a GDPR violation.

There are a few things that could be worse for privacy and security than letting random users access other people’s accounts, which is precisely the problem that hit Klarna’s userbase yesterday. Klarna is a Swedish fintech company that provides financial services such as carrying out transactions and payments via a mobile app, and it’s actually quite popular in 15 countries around the world.

When trying to login into their accounts yesterday, several users were surprised to see the details of multiple other people, with phone numbers, partial card details, full names, addresses, mandate reference IDs, bank names, etc.

Each time I tried to log in to my @Klarna account this morning, I’m on someone else’s account? Does this also mean someone else might currently be my on account? What the hell is going on?!! @AskKlarna pic.twitter.com/hqimF2zx7S

— esra efe laborde (@esraefe) May 27, 2021

With the reports piling up on social media platforms, Klarna had to respond. So the CEO of the company has posted on the blog, explaining that the problem was introduced by a bug, lasted for only 31 minutes (between 10:49 am CET and 11:20 am CET), and affected approximately 9,500 users (0.1%).

As Sebastian Siemiatkowski said, this incident doesn’t constitute a violation of GDPR, as the information that was made visible to random users classifies as “non-sensitive.” This is a weird statement to make, and it sounds like Klarna wishes to avoid data protection investigations that would inevitably lead to the imposition of large fines.

I could see phone numbers, purchases, home address, partial card details etc of multiple people. This doesn’t count as a breach of GDPR? Outrageous

— digitalbotch (@digitalbotch) May 27, 2021

As the company further details, the issue affected only the app users, so the payment services, Klarna Card, merchant checkouts, and merchant user interfaces were completely unaffected by this. Some users attempted to log in via the web-based interface as a response to the lapse, trying to urgently remove their cards and prevent malicious charges from happening. Unfortunately for them, the system wouldn’t allow them to remove cards, so the entire service had decreased functionality at the worst possible time.

Klarna sees this merely as an “inconvenience” in its apologetic messages to infuriated users and assured the community that they have identified the root cause of this and ensured that it’d never happen again. However, not accepting this incident as the large-scale security breach that it was makes things a lot worse.

Even if this wasn’t the result of an external hacker attack, and even if the access to other people’s accounts was random and couldn’t have been targeted, this is still a security breach. We have asked some of the affected users directly and confirmed that Klarna hasn’t sent out any notices of a breach to its userbase yet.