This morning, for the first time ever (in fact for any computer or online service) I had my PayPal account hacked. I can't help but think this is something to do with the dodgy eBay transaction I reported a few weeks ago.

The culprits some how got into my account and sent two US$ payment from the balance I had in there (from an eBay sale yesterday), I reported the problem as soon as I noticed it. And to be fair to PayPal they have already refunded the money so every thing is cool. I have now enabled SMS security on my account and changed all my passwords etc... They don't seem to have done anything else, I don't think there is enough information held on PayPal to fully steal my identity.

Is this a fairly common thing? I have no idea how they got my password and it certainly isn't something easily guessed as it involved letter and numbers in a way I had always thought pretty secure.

Shame as I had always thought of PayPal as being pretty safe, after never having one single problem in many years of using the system.

Cheers

Cris.

Is your PayPal account your primary email address?

Are you primarily running Windows?

Have you looked through your email to see if there's any possible phishing mails pretending to be from PayPal? A nicely implemented phishing scam would take you to the real paypal site as soon as you entered your credentials, so that the fake URL would only be up on the browser for that moment in time as you typed.

Have you done a malware scan to make sure you don't have any keyloggers installed?

BTW, the key/SMS can be side-stepped by answering one or more "security" questions in addition to supplying the password. From a phishing perspective, this isn't any more secure than not having any external key device enabled at all.

A nice and easy addition to PayPal's site would be the ability to restrict login to an ID that is not the email address used for sending/receiving money. In other words, security through obscurity.

No, all OS X here.

I don't think they have got me with a phishing attack as I always go to paypal.co.uk directly rather than following links in emails etc... This has stood me in good stead in the past, but I can't think how they would have got my password any other way.

I must be missing something somewhere, as I take it a hard hack of a password it very unlikely. I keep every email eBay and PayPal send me in a folder and can't see anything in the past month or so that is asking me to follow a link and log in.

I think the key is pretty secure, at least more secure than without it. It is a bit of a pain in the ass though.

Cheers

Cris.

I assume you have never used your PayPal password on any other online service ?

I did (until yesterday) use the same password for eBay, but no where else.

It would make me feel a whole lot better if I could figure out how they got in. In that respect PayPal have been pretty useless, providing no information or advice at all.

Cheers

Cris.

PayPal really are completely hopeless when it comes to customer service.

My Dad is effectively locked out of his PayPal account. He hadn't used it for a while and went to log in.

It asked him to give the some digits from his credit card to validate the account (and it really was PayPal and not some fishing site). He didn't have the card any more or a record of what the card number was (the card had been replaced after some card fraud).

The only way to contact them appeared to be a phone number that you couldn't find unless you managed to login, which he of course could not. I found the number for him.

When he phoned them, they wouldn't talk to him without a PIN number that he could only get by logging in, which was of course the whole problem. He gave up trying to get them to talk to him.

He can't of course create a new account, as his bank account is tied to the locked out account.

So he doesn't use PayPal anymore.

Make sure he closes the account to be safe- I think you have to fax them a letter to actually close it.

I've had my paypal account hacked twice. I think they have about the worst security on the planet...

They once sent me an email saying my account was suspended because 3000 login attempts were made in 2 seconds. Nice that they caught this before they hit the 4000 mark...

I no longer have a paypal account.

The only information on closing accounts I can find is via the PayPal website, which is impossible without being able to login. He couldn't get them to give him any useful information at all on the phone without the PIN that he of course couldn't get.

I believe he did ask to close the account as part of his fruitless phone conversations with them.

Let's see how PayPal does on this round fighting a chargeback. I have a husband and wife team from California trying to defraud me today.

They attempted a PayPal dispute last week but were denied because their purchase was from back in November. Now they've complained to their credit card company about the transaction.

They claimed that the product I sold them didn't work. They also claimed they contacted me multiple times by email and by PHONE, leaving messages on my voice mail. The problem? No email record at all. No voice mail messages - because I don't publish a phone number for customer support - or on the web site at all.

I contacted them (very nicely and polite) when the attempted dispute came in asking what the problem was and how I could help them. Letting them know that they had me here to resolve their issues and also that the hardware carries a one year warranty. They replied with the BS about contacting me.

They don't want to return the product for a refund. They just want to take my money and keep my product.

The wife is a real-estate broker in Glendale california - I imagine the market must really be hurting if they need to rip off small internet merchants for $50 at a time.

I'm planning to dispute the details with PayPal and I'm also planning to contact the California State Attorney's office and their local police.

Paypal is a lovely target, so it is right up there in terms of numbers of attackers, and skilled mechanisms to get money out of it, which is why they are getting much better at responding...I know, a long way to go, but they are now aiming the right way.

Most successful attacks there seem to use old fashioned routes - main one being reusing a password shared across sites, often somewhere with weaker security. Don't do it folks!!

Also current trojans are pretty smart - realistically now, if you visit malicious sites your av is not going to save you any more. And more real sites are becoming malicious through their own accidental vulnerabilities.

Apple is being targeted more and more, so don't rely on OSX being safe...attackers can get in just as fast as a windows box.

Use layers, trust as few sites/individuals as possible, and watch your accounts for oddities.

Be safe kids

Seems like my words about contacting the State's Attorney General and police are working. I haven't contacted them yet, as I was waiting to get all evidence into PayPal first so that they can start fighting the chargeback on their end.

The customer has written and altered some of what he said in previous claims - though never once did they admit to having flat-out lied. Which unfortunately they did and that still leaves me with a bad feeling, even if they're willing now to cancel the chargeback.

In their original claim they wrote that they had communicated with me and that I had told them to "wait for an update" and didn't provide them with any other alternatives. They never contacted me once and obviously I had never written any such thing to them or anyone else for that matter.

I told them that if the chargeback is cancelled and the products returned, then I would offer them a refund. I've indicated quite clearly that any attempt to obtain the money without returning the merchandise is considered fraud not only by myself, but the entire industry and society (PayPal, the police, etc..)

We'll see how this goes. I'm still going to provide PayPal with all the shipping label and email evidence in the meantime.