My PayPal account has been hacked

paypal_logoLast night someone accessed my PayPal account, setup a payment and did an instant bank transfer. It’s only once there has been a security breach, do we start to think about online safety.

I was fast asleep when the email came through. When I glanced at it in the morning I thought it was *just* another phishing email using PayPal branding. This isn’t a good first response to an email from PayPal! Thank goodness I checked my account because this was a real payment. The amount stolen was under £20, probably disguised to fit in with other recent payments.

As a geek who knows too much about online security I couldn’t help but feel some admiration of the skill it would have taken for someone to crack my account. On top of this whoever stole the money probably identified a strategy to only transfer small payments, intended to get lost between regular transactions. However, in-between all of these feelings were a sense of worry and frustration that somebody somewhere discovered my account details. Then a real sense of anger that PayPal had permission to just withdraw money from one of my bank accounts without any validation process – it just did it.

Immediately I wondered if somehow my details had been leaked in larger security breach, if a keylogger malware was on my computer or if I had somehow been careless with my details. The fact is I’ve checked all these details and know that I haven’t been careless. No system is impenetrable and a security flaw on PayPal must have been discovered. At this stage I hope it has only been my account affected in a single incident, rather than a mass security leak.

If you have a PayPal account then I recommend you:

1)      Change your password

2)      Change your security questions

3)      Review your recent transactions

I raised the breach with PayPal in the last hour. Depending on the response, I’m tempted to close my PayPal account. I’ll keep this post updated with any details.

12 Replies to “My PayPal account has been hacked”

  1. today I received 25 individual charges from sony entertainment network on my paypal each of $10 and one of $20 …. im freaking out I hope paypal fixes it. I changed my PW and sec. question

  2. My Paypal account was hacked last weekend, over £400 of Nike trainers purchased. Yes Paypal have been good at refunding without question but I have been worrying all week about how this could have happened as I am pretty security conscious. I feel a bit better now after reading this but Paypal obviously have a problem.

    1. My paypal account was hacked last night early morning they have taken over £1000. Attached a lloyds bank account etc. have been on to paypal. Pretty scary that it’s so easy for hackers why how?

  3. My PayPal account was hacked on 6 May 2014. I got 5 emails from PayPal saying 5 transactions in GBP had been made by me to someone in the UK. (I live in the U.S.) Each transaction was for less than 100 pounds. My PayPal account was linked to a credit card (not bank account). Because I had set up email security alerts with my credit card company for any transactions over fifty cents USD, I also got 5 emails from my credit card company and immediately knew the transactions were fraudulent.

    My credit card company may have eventually picked up on the fraud and contacted me, but since I had the security alert email capability enabled on my account, I was able to detect the fraud myself within an hour of it happening and contact my card company to cancel the account and request a new card.

    I also called PayPal to tell them about the fraudulent transactions. I requested that they close my PayPal account, which they did at no cost to me. When I asked if they’ve had an uptick in fraudulent activity lately, the customer service person said something like, “Fraud is going on all the time” (kind of like: it’s all around us; nothing wrong with PayPal specifically).

  4. My friend just had the same problem. He had just opened a paypal account last week, and didn’t even use it. Today he woke up with no less than 10 transactions (around 50 euros each) using his account and credit card. Luckily the bank only approved one of them and then blocked his card.

    Did you hear back from PayPal? I strongly considering closing my account as well, and I have already removed my credit card from the site.

    1. Hi Lauro,
      Sorry to read this. Since publishing this blog post it seems like a lot of people are experiencing similar situations. I went onto PayPal’s website and gave them a call and had everything resolved. Do ring them too. The service I received was first-rate.

      1. Three weeks ago one Sunday morning, I received four emails from PayPal each indicating that $150 had been transferred from PayPal to Sony Entertainment Network. I don’t even own a playstation so I had no idea how this could happen.

        Apparently, someone was able to hack into my PayPal account to make these transactions through a playstation. Nice. $150 is the max that can be transferred at one time into one’s Sony wallet, so there must have been 4 wallets?? What also happened was that because this was an ACS transaction, the bank account tied to my PayPal account immediately deducted the money from my bank account and made the bank account available to the hacker.

        Paypal told me that because their account said the charges were “pending” that they were stopped before my bank account was touched. WRONG. The next morning, all four transactions were completed with the bank, bouncing 11 checks and throwing me almost $200 in the red. I went to the bank, closed the account and opened a new one. I didn’t touch anything on PayPal. Meanwhile, I received about 40 emails over the course of the next few days from PayPal telling me that my bank refused payment of these charges. This suggests that the PayPal security guy didn’t or couldn’t do anything to stop the transaction even though it was “pending”.

        First of all, why is anyone surprised than any account, PayPal or otherwise can be hacked. Clearly PayPal, when hacked from the back door or the side door, is pretty easy to access.

        Second of all, why are the security people at PayPal so unsure of what to do when PayPal HAS been hacked. I got misinformation after waiting 1 hour and 30 minutes through two phone cues to talk to PayPal security and the guy was clueless about the Sony Entertainment Network, or anything else. It was a mess.

        The bank had a much better handle on this than PayPal did. If it weren’t for the bank, this could have proceeded much longer. However, it can take the bank up to 10 days to process this mess. Fortunately, my bank worked all sorts of magic in the background, and managed to get the new account up and running right away.

        This of course, is above and beyond all of the places where this checking account is set up for direct payment, and my direct deposit at work. That took another two weeks, calling one creditor after another to change the account number.

        I still have a PayPal account, in part because they CHARGE you to close it, but I have changed all of the security questions and password and tied it to a credit card. Credit card companies are far more efficient at dealing with fraud than are PayPal and the bank. PayPal and banks seem to be stuck in the 1990s with this stuff.

        Caveate? Don’t hook PayPal to anything but a credit card. Never think anything is 100% secure. Every security hookup is just a challenge for a new hacker who will eventually figure it out.

        And shame on Sony for setting this stupid thing up, BRAG about how it would be safer now that they have the PayPal WALL up on transactions from playstations. What a bunch of nonsense.

  5. This is one of the only posts I can find relating to what I’ve just experienced, earlier today I found out I had a payment go through on my paypal to “[email protected]” for $100.00 CAD on January 13th, 2014. I was email bombed with fake receipts from a ton of different emails to disguise the legitimate email PayPal sent me so that I couldn’t see that the funds had been taken.

    I’ve changed all my information, security info, passwords, everything. Scanned my ports and done extensive virus/malware/spyware/adware scanning to make sure my system isn’t compromised. It seems the hacker was able to get my PayPal password somehow and then add a fake alternate address, and send money to that “[email protected]” email.

    Looking at my recent email history (Hotmail), I can see someone has been trying to brute force my password for the past 2 weeks but have been unsuccessful. It seems suspicious. I’ve been trying to trace the hacker but have had no luck (I don’t really know what I’m doing). It’s apparent they’ve been using proxies (or VPN) to attempt to login to my account. I’ve got a list of a few the IP addresses that the hacker’s tried to login to my email using (hundreds, if not thousands). And I’m trying to trace the original IP through the email headers, the email addresses that were used to “Bomb” my email address so that I couldn’t see the PayPal transaction.

    Like yourself, I consider myself knowledgeable about internet/system security & other related fields, so it’s alarming to me that this could even happen. It’s hard for me to swallow the fact that I may never knew who stole $100 from my PayPal and who’s trying to hack my email address.

    1. Also, if I may add, the hacker did an Instant Back Transfer as well for the $100.00, the only reason I found out my money was missing was because I was declined when trying to use my Bank card at a local general store.

    2. It sounds like we both went through the same security steps. Since I wrote this post I’ve been in email contact with PayPal and have talked on the phone with them. Not only did they refund the lost payment in my account but they reassured me of how the lost in payment occurred.

      If you haven’t already urgently speak to PayPal. Their contact numbers can be found through their website.

Leave a Reply

Your email address will not be published. Required fields are marked *