According to PayPal’s summary of the problem, if users had entered their PayPal credentials after following a login link from a malicious site, hackers could have completed the security challenge on their own and got hold of users’ passwords.