Comment by carstenhag

Related, but not strictly the same: a week ago my IBAN (eu-wide bank account number) was used via a Paypal guest account to make payments of 580€, paying through direct debit (Lastschrift).

There is no inherent security at all. Merchants usually send you 1 cent with a 2fa code, in order to verify that you have access to the account. In my case this was not done apparently, and the scammers got their items. I was able to do something similar to a charge back, but I wonder whether the online store or PayPal will have to eat the loss.