Klarna has suffered a security breach, when a bug led to random user data being exposed to the wrong user when accessing our user interfaces.
Users were able to see the full details of other accounts including their personal information, postal address, purchases, and payment methods. When they tried to login again they would see yet another random user’s information.
Each time I tried to log in to my @Klarna account this morning, I’m on someone else’s account? Does this also mean someone else might currently be my on account? What the hell is going on?!! @AskKlarna pic.twitter.com/hqimF2zx7S— esra efe laborde (@esraefe) May 27, 2021
According to Klarna CEO Sebastian Siemiatkowski, “it is important to note that the access to data has been entirely random and not showing any data containing card or bank details (obfuscated data was visible). This means that it has been impossible to access a specific user’s data. According to GDPR standards, only non-sensitive data was exposed. However we recognize that what is deemed non-sensitive is very individual, and we set our own standards higher than GDPR.”
- 10:49 am CET: Bug introduced
- 11:20 am CET: User interfaces shut down to avoid any further issues
- Since then Klarna have identified the root cause, started communications efforts, rolled back the bug, prepared to take the systems live again, and informed appropriate authorities
Moving forwards, the company says it will now work to:
- analyze and understand exactly which consumers have been affected and how
- analyze and understand exactly how the risk assessment of the specific systems was invalid, to implement appropriate actions to avoid this and similar incidents going forward