[muppetman]

My wife has been getting a bunch of these today. I still don't see what the potential problem is if an attacker has my wife's email (which I can imagine has been made public by 100 data breaches etc) and phone number. A bad actor can't use those to log into Paypal? You still need to GET the text message code. Is the risk a SIM Swapping attack?

[bombcar]

SIM swapping is pretty easy, or you just call the number right after or before and pretend to be PayPal checking something.

“We’re verifying your account, please read the number I’m about to send you.”

This is made worse because actual banks actually do this.

[yjftsjthsd-h]

If nothing else, it's information disclosure; you should not be able to go from having a person's email address to having even part of their phone number.

[adrr]

Six digit code means they can brute force it if they try across enough accounts. 500k tries they'll have 50% success rate of brute forcing 1 account.

[quickthrower2]

Nitpick: Less than 50% chance, but with a chance of finding more than 1.