According to Business Insider, Klarna feared that up to 288,000 customer logins were exposed due to a security flaw involving recycled phone numbers, with internal projections showing potential costs reaching $41.8 million. The buy-now, pay-later company discovered that when mobile carriers reassigned phone numbers, new customers could automatically access the previous owner’s Klarna account, viewing personal information including names, birth dates, addresses, and even Klarna Balance digital wallets. Internal Slack messages from this week reveal product directors estimated 10% of cases would be “severe” with potential $1,000 per case remediation costs, though the company now claims the actual impact was “more than ~99% lower” than initial estimates. The issue dates back to at least 2022 according to support tickets, and Klarna only fully implemented email OTP verification on Wednesday after delaying the fix due to concerns about impacting conversion rates.
Sponsored content — provided for informational and promotional purposes.
The uncomfortable trade-off
Here’s the thing that really stands out from these internal messages: Klarna knew about this security vulnerability for months and deliberately delayed fixing it because they were worried about sales. Back in August, staffers were discussing adding email OTP verification, but internal calculations showed it could reduce gross merchandise value by $28.5 million per month. One data analytics manager explicitly questioned whether the issue was serious enough to justify risking conversion rates in the crucial US market. Basically, they made a business decision that security could wait because it might hurt their bottom line. That’s a pretty damning revelation for a company handling sensitive financial data for 150 million users.
This isn’t their first rodeo
What’s particularly concerning is that this isn’t Klarna’s first security stumble. In 2021, they had a data breach where customers could see each other’s information for 31 minutes due to a “faulty” app change. Then in 2024, they got slapped with a $733,000 fine from a Swedish court for not properly informing users about data storage practices. And now we learn this phone number recycling issue has been popping up since at least 2022. When you’re dealing with people’s financial information and digital wallets, you’d think security would be priority number one. But the pattern suggests otherwise.
Why this matters beyond Klarna
This situation highlights a much bigger problem in the tech industry – the tension between security and growth metrics. Companies are so obsessed with conversion rates and frictionless user experiences that they’re willing to compromise on fundamental security measures. And recycled phone numbers are a widespread vulnerability that affects many services relying on SMS verification. The fact that Klarna’s leadership only became aware of the issue two days after it was identified at working levels shows how security concerns can get stuck in corporate bureaucracy. Meanwhile, their stock price has dropped over 20% since their September IPO – not exactly the kind of momentum you want when you’re trying to convince investors you’re a responsible steward of customer data.
Where does Klarna go from here?
So now they’ve finally implemented email OTP verification, but the damage to trust might already be done. The internal messages reveal they were putting together talking points for merchants about the issue, which suggests they’re preparing for fallout. And they’ve committed to reporting to regulatory authorities if required and notifying potentially impacted consumers. But here’s the real question: will customers feel comfortable using a service that prioritized conversion rates over their data security for months? In the competitive buy-now, pay-later space, trust is everything. When you’re up against players like Affirm and Afterpay, you can’t afford these kinds of self-inflicted wounds.
