PayPal account hacked - but how?

Shackster

Got a transaction confirmation email from PayPal yesterday (only noticed it today though) about a payment I've supposedly sent to pay for a mac on eBay (£811). Checked my PayPal account in case the email was phishing, but no, the transaction was there. Next I checked my bank and credit card accounts - there was no way the bank account would have covered it anyway, but checked them both and it wasn't on either yet. So then I rang the credit card to block it and will do the same with the bank just to cover all bases.

Then rang eBay; they could see I'd not bid on the item so agreed it was dodgy, but said I had to speak to PayPal, which I'll do tomorrow morning. Lastly, I emailed the seller (who looks legit from his feedback) to say not to send it!

So I think I've covered this and won't lose any money (even temporarily hopefully). But, I'm more worried about how they got my PayPal details - I've changed my password now but if they got it once they could again.

Any ideas how they might have done it? Or how I can stop it happening again? I have Internet security software (bullguard). This isn't the first time we've been had though, so I'm losing faith with it a bit! All advice welcome.

bennett_346

I lost faith in all internet transactions a long time ago. Doesn't matter what security or protection you have someone will find a way to nab it.

I have no faith in credit or debit cards either.

Daz555

Most likely is:

1. You were phished - duped into providing your paypal username and password on a dodgy site.
2. Your password was weak and was simply guessed.
3. You have malware on your PC and someone has been monitoring your activity.

3 relatively unlikely. 1 & 2 happen to hundreds of thousands of people daily.

Firstly of course you need a secure password for ebay and paypal. You also need secure passwords on any email accounts associated with ebay and paypal etc as they can be used as a means of resetting your password - via the "I have forgotten my username/password" option you see on many sites at logon.

A secure password will be at least 8 characters and be a mixture of upper and lower case letters, numbers, and special characters.

Secondly it is worth scanning your computers for malware and viruses.

Daz555

bennett_346 wrote:

I lost faith in all internet transactions a long time ago. Doesn't matter what security or protection you have someone will find a way to nab it.

I have no faith in credit or debit cards either.

Thankfully as long as the bank cannot show your were negligent (ie sharing your PIN) then you are covered for fraudulent transactions.

bennett_346

Daz555 wrote:

bennett_346 wrote:

I lost faith in all internet transactions a long time ago. Doesn't matter what security or protection you have someone will find a way to nab it.

I have no faith in credit or debit cards either.

Thankfully as long as the bank cannot show your were negligent (ie sharing your PIN) then you are covered for fraudulent transactions.

Is that with debit cards as well as credit cards?

My biggest concern is cash machine fronting, and not noticing small withdrawals from my account over long periods of time.

Shackster

Thanks for the advice Daz. I've changed my paypal and email passwords to fiendishly difficult ones! (which I will now forget). Also bought Norton as I've lost faith in Bullguard now. I know it may not be at fault for this but I can't see how anyone could have got my email password other than by hacking (it was already a strong one). My actual paypal password probably wasn't the strongest possible so they may have got straight in that way, through getting it off a less secure website (might have used it on a few :oops:)

graeme_s-2

The other possibility is that you've used the same username and password on another website/service that has been hacked.

cat_with_no_tail

Hang on, not sure I'm following.

- You received an email from paypal to confirm you'd just paid for the item.
- There are no bids on your ebay account, and no debits to any of your linked accounts (none of which had sufficient funds to cover the full value of the purchase anyway)

I don't get how paypal could confirm you've paid for it. They wont confirm a payment if you've not got sufficient funds available. Did they give you the card details on the email they sent?

(not doubting you btw, just can't get my head round it)

Any chance you can copy/paste the email you received (less any personal info of course).

YeehaaMcgee

bennett_346 wrote:

I lost faith in all internet transactions a long time ago. Doesn't matter what security or protection you have someone will find a way to nab it.

I have no faith in credit or debit cards either.

Wasn't there some mahoosive sh*tstorm when CRC got hacked, and I dared to suggest that Paypal was no more inherently bulletproof than anything else?
Seemed a lot of people had a great deal of their ego tied up in a religious belief in Paypal.

Nothing is 100% secure.

Daz555

Cat With No Tail wrote:

Hang on, not sure I'm following.

- You received an email from paypal to confirm you'd just paid for the item.
- There are no bids on your ebay account, and no debits to any of your linked accounts (none of which had sufficient funds to cover the full value of the purchase anyway)

I don't get how paypal could confirm you've paid for it. They wont confirm a payment if you've not got sufficient funds available. Did they give you the card details on the email they sent?

(not doubting you btw, just can't get my head round it)

Any chance you can copy/paste the email you received (less any personal info of course).

Good point.

The email you had saying you had paid a load of money to someone may have been a phishing attempt in itself.

Top tip. Never logon to a site via any link you got on email. Always logon via your own efforts on your web-browser.

Shackster

Ah yes, I thought that, and went into paypal 'properly' - not via the link in the email.

It was just a standard looking paypal receipt. My bank account wouldn't have covered it, but my credit card would have. I put it (the fact that it hadn't hit either account) down to the fact that the transaction happened late on a Saturday, i.e. outside normal business hours. Promptly got the credit card blocked, bit of a pain and maybe unnecessary, but it'll stop me buying any bike bits for a few days at least!!

cat_with_no_tail

But did the paypal receipt specify which card/account the payment had come from?

I mean, it's entirely possible the payment had just gone to held funds on your credit card, hence the reason you couldn't see it yet. I was just curious as Paypal physically can't approve a payment on an account that's got insufficient funds (didn't realize you had a CC linked to it too though).

bennett_346

YeehaaMcgee wrote:

bennett_346 wrote:

I lost faith in all internet transactions a long time ago. Doesn't matter what security or protection you have someone will find a way to nab it.

I have no faith in credit or debit cards either.

Wasn't there some mahoosive sh*tstorm when CRC got hacked, and I dared to suggest that Paypal was no more inherently bulletproof than anything else?
Seemed a lot of people had a great deal of their ego tied up in a religious belief in Paypal.

Nothing is 100% secure.

Yep, i remember.

PayPal is secure, it's the common user that is not. You can design as secure a system as possible but you cannot remove the human inability to fuck things up for themselves (not aimed at the OP necessarily).

Daz555

bennett_346 wrote:

PayPal is secure, it's the common user that is not. You can design as secure a system as possible but you cannot remove the human inability to fark things up for themselves (not aimed at the OP necessarily).

It is secure enough, but nothing is foolproof - I'm sure Sony would have said that PSN was secure and that the chance of leaking millions of credit card details was impossible........

herb71

My PayPal account was hacked a while back, but PayPal themselves spotted the dodgy transaction, the origin of which was Hong Kong. They took £131 followed by another £131 before PayPal froze my account. I got a full refund fortunately.

Not entirely sure, but my password was weak and like an idiot I used the same password on a forum in error. I think this was how they got access. I am now much much more careful. In most instances the thief gets access because of silly lapses by the account owner.

Shackster

Herb71 wrote:

My PayPal account was hacked a while back, but PayPal themselves spotted the dodgy transaction, the origin of which was Hong Kong. They took £131 followed by another £131 before PayPal froze my account. I got a full refund fortunately.

Not entirely sure, but my password was weak and like an idiot I used the same password on a forum in error. I think this was how they got access. I am now much much more careful. In most instances the thief gets access because of silly lapses by the account owner.

This may have been my mistake too. :oops:

PayPal are investigating now so it should all be resolved soon enough.

Lagrange

YeehaaMcgee wrote:

bennett_346 wrote:

I lost faith in all internet transactions a long time ago. Doesn't matter what security or protection you have someone will find a way to nab it.

I have no faith in credit or debit cards either.

Wasn't there some mahoosive sh*tstorm when CRC got hacked, and I dared to suggest that Paypal was no more inherently bulletproof than anything else?
Seemed a lot of people had a great deal of their ego tied up in a religious belief in Paypal.

Nothing is 100% secure.

I was done in this CRC which from recallection was login thefts by an employee - which in fairness is better than a system vulnerability. This case was more than Paypall too - all sorts of banks and cards