I was fast asleep when the email came through. When I glanced at it in the morning I thought it was *just* another phishing email using PayPal branding. This isn’t a good first response to an email from PayPal! Thank goodness I checked my account because this was a real payment. The amount stolen was under £20, probably disguised to fit in with other recent payments.
As a geek who knows too much about online security I couldn’t help but feel some admiration of the skill it would have taken for someone to crack my account. On top of this whoever stole the money probably identified a strategy to only transfer small payments, intended to get lost between regular transactions. However, in-between all of these feelings were a sense of worry and frustration that somebody somewhere discovered my account details. Then a real sense of anger that PayPal had permission to just withdraw money from one of my bank accounts without any validation process – it just did it.
Immediately I wondered if somehow my details had been leaked in larger security breach, if a keylogger malware was on my computer or if I had somehow been careless with my details. The fact is I’ve checked all these details and know that I haven’t been careless. No system is impenetrable and a security flaw on PayPal must have been discovered. At this stage I hope it has only been my account affected in a single incident, rather than a mass security leak.
If you have a PayPal account then I recommend you:
1) Change your password
2) Change your security questions
3) Review your recent transactions
I raised the breach with PayPal in the last hour. Depending on the response, I’m tempted to close my PayPal account. I’ll keep this post updated with any details.