Klarna users are being signed in to random accounts

Their German counterpart, Sofortüberweisung, didn't properly blacklist test credentials given out by banks e.g. to developers in the beginning, so people could simply use those and pay for goods and services with fake accounts.

For me there are so many red flags with all these services, as they basically "steal" your credentials to log into your online banking. And while they claim that they only use the credentials to make transfers they could as well look at all my other account data. I really wonder how such a scheme can be legal and how banks can allow this, as they normally tell people to never give their credentials to anyone. The situation of course recently improved with the mandated 2FA for logins and transfers, but still there are so many attack vectors in this model that it boggles my mind how it can still exist.

I have the same sketchy feeling about Sofortüberweisung/Klarna. If they want to make transactions on my behalf, why should I give them full access to my account?

Most banks have a paragraph in their contracts/ToS forbidding sharing the account with third parties, but they are rarely enforcing it. Still, they could close the account due to contract/ToS violation.