My Paypal account was hacked - Has your ever been hacked?

Profile picture of the author Kirk Ward by Kirk Ward Posted: 04/12/2009
My PayPal Account was hacked tonight and large payments were sent. Luckily it seems PayPal caught it as there were no funds available since I transfer funds out of that bank account daily and maintain a zero balance account. Glad I learned that system from my bank loan auditing days.

Meanwhile, I had to file my first fraudulent transaction report, on top of their internal investigation.

Wondering how often this happens, and sort of wondering how the hackers figured the password. Brute force or PC keylogger? I use RoboForm rather than type my passwords ... is that easily captured or hacked?

What else can I do to protect passwords stored on my PC? I use Sunbelt Software products Vipre and Personal Firewall, and have felt reasonably comfortable with them.

Your experiences, advice and feedback will be appreciated.

Thanks,
Kirk Ward
#account #hacked #paypal

  • Profile picture of the author Odhinn
    Odhinn
    I had my Paypal hacked about a year ago, but PP was very helpful in refunding me all of my money and setting up security and all that. It took them about two days, but during that time they blocked incoming and outgoing payments to me, which was pretty annoying.

    I think you definitely need to look into your email accounts associated with the Paypal account, as that's how I assume they got in to my account as well. Fortunately, I was smart enough to change primary emails with PP when the hack occurred, but a week after, I noticed someone spamming my address book from the gmail address that had originally been used as the primary paypal.

    Of course, I immediately signed up with one of those privacy protection services for my credit cards and banking info. Nothing else ever came from this though.

    Lucky for me, a few changed passwords, some apology emails, and a few days with no payments coming in from Paypal, and I came out OK. All things considered, it wasn't that bad, though I was pretty stressed at the time.
  • Profile picture of the author Kay King
    Kay King
    Often it's because someone has clicked a link in a phishing email - but I know you wouldn't do that.

    Wonder how it could happen from paypal's end - interesting. I've known just a few marketers who've had this happen. It's the brighter side of Paypal's security (that sometimes cause us problems) - they seem good at catching the problem and every person I've known it to happen to did get their money back. But it's hassle to deal with.

    I don't worry about roboform - but I've never been comfortable using gmail for personal info. Don't have a reason - just always felt that way. I keep all personal and financial content emails in email accounts through my isp though I use gmail for everything else.

    kay
  • Profile picture of the author Dan C. Rinnert
    Dan C. Rinnert
    You can get a PayPal security key that offers an extra layer of protection.

    Interesting that they say the problem was on their end. Scary, actually.
  • Profile picture of the author Kirk Ward
    Kirk Ward
    I appreciate all the feedback ... it's helpful to see what experiences others have had and what thoughts are running through their heads.

    It wasn't a problem with PayPal, they caught it immediately, and although I'm sure they have more security than what I know of , it was probably because all funds go into a zero balance sweep account, or because it was from a questionable ip address.

    I am pretty sure it was my fault, using the same password as with another login. Maybe some pseudo-IM membership site that gathers email address and passwords for their "membership" site and then looks to see if someone was dumb enough to use the same password for their junker research as they were for their banking.

    I was.

    Lesson learned, duh.

    Maybe my IQ is down to where I could work for the government.
  • Profile picture of the author ems82
    ems82
    Hello,

    It is really scary that hackers are able to hack our PP accounts with the help of email accounts.so, what do you suggest? which email accounts do you think can be safer for us? i mean, hotmail? gmail? yahoo? or, something from your domain or ISP?

    Your recommendations can help many people.
  • Profile picture of the author bob_sikorski
    bob_sikorski
    The phishing emails get more convincing everyday. Don't forget to forward these emails to spoof@paypal.com

    May I suggest you check the credit card and bank info you have listed with Paypal and look over your monthly statement. If someone does hack into your PP account and try to steal $100 and there is only $50 in your PP account, the remaining $50 is automatically deducted from your bank account or credit card.
  • Profile picture of the author Kirk Ward
    Kirk Ward
    I recommend using an email account from your own domain. If you have an isp you can communicate with, the password can be changed, even if they hack your domain.

    My mistake was not changing my PayPal password from the one I used when I created it. I was sloppy and used the same password I use a lot for sloppy stuff. One for dangerous p[laces, and one each for all things important seems to be a bit safer.

    Thanks Bob, I already done did that.

    One additional point. The damage goes beyond me. I just got a phone call from a kid who received one of the payments. Seems he released his World of Warcraft character license to someone with a gmail account as soon as he saw the funds hit his Paypal account. Did you know that a World of Warcraft character license can sell for $300 or more? Jeez, I'm in the wrong business.

    Cheers.
  • Profile picture of the author LordXenu
    LordXenu
    Could have happened any number of ways. phishing, keyloggers/spyware, even just plain luck. best way to avoid spyware is to NOT DOWNLOAD PIRATED SOFTWARE. I'm not saying you did, but any time I run an app that even slightly tickles me the wrong way, I do it through a virtual machine. thiss goes for all sorts of applications, including marketing software purchased on what are otherwise reputable forums. I have tinyXP installed in a virtual machine running under Sun's VirtualBox. This is all free, and should save you from the most of your spyware infections.
  • Profile picture of the author JamesCallowag
    JamesCallowag
    My paypal account hasn't been hacked, but my ebay account has. It was a very bizzaree experience when my account was doing all kinds of magical things i don't even know how to do, and getting charged fees i didn't even know existed. Soon I did call their customer support and worked it all out.
  • Profile picture of the author edhan
    edhan
    Anything to do with banking or money concerns, I write down the passwords in my diary. So, whenever I need to login, I will check with my faithful diary.

    I changed passwords monthly so my diary filled with crossing of passwords.

    I always believe in 'better safe than sorry'. So we ourselves need to take extra precaution to avoid things like this happening. Though some may say that it is tedious to do so but safety is always my first priority.
  • Profile picture of the author Stevecyr
    Stevecyr
    Hey.. I hope none of ur money has been stolen. And 1 request for U.. wud U try going in a bit more detail so that we can protect us from being stolen?
  • Profile picture of the author Kirk Ward
    Kirk Ward
    Ed, I especially like the idea of frequent password changes. I have to do that on a couple of bank accounts. I'm surprised PayPal doesn't institute something similar.

    Thanks,
    Kirk

    Originally Posted by edhan View Post
    Anything to do with banking or money concerns, I write down the passwords in my diary. So, whenever I need to login, I will check with my faithful diary.

    I changed passwords monthly so my diary filled with crossing of passwords.

    I always believe in 'better safe than sorry'. So we ourselves need to take extra precaution to avoid things like this happening. Though some may say that it is tedious to do so but safety is always my first priority.
  • Profile picture of the author anth.elias
    anth.elias
    As a computer geek I know a lot of the ways that hackers get into accounts, brute force does not work on PayPal. Keyloggers are one of the main reasons you could have your account hacked into. Keyloggers are very small files less than 5kb..these are the ones that hackers use not the ones that you can buy to spy on your kids.

    Not all antivirus and antispyware software programs can detect and remove the software so just because your scan came out clean don't let your guard down.

    Rule of thumb to follow is never use a GMail or hotmail account for any financial user names, only use your ISP domain and don't use that email address for anything else change your password every three months-yes it's a hassle..but it's better than the alternative.
  • Profile picture of the author abelacts
    abelacts
    I don't think it's got something to do with phishing. Mine was hacked before and I don't click on email links. And I don't think they stole your password from your email either. Somehow, how it happened really intrigued me until today. But fortunately, Paypal refunded all the funds.
  • Profile picture of the author Lokesh Sharma
    Lokesh Sharma
    Originally Posted by abelacts View Post
    I don't think it's got something to do with phishing. Mine was hacked before and I don't click on email links. And I don't think they stole your password from your email either. Somehow, how it happened really intrigued me until today. But fortunately, Paypal refunded all the funds.
    I wonder if you too used to use same passwords for all your internet acocunts as was the case with Kirk...

    - Lokesh Sharma
  • Profile picture of the author Tina M. Rideout
    Tina M. Rideout
    Dave and I had ours attacked about this time last year. A mess for sure. They totally wiped out our accounts. Paypal gave us our monies back, but that was the least of our worries. Dave had to borrow money to get his bank payed off for all the overdraft fees, which I believe his bank refused to refund.

    The worst part -- they took our domain names - and played havic with our hosting etc. from info they had via paypal account history and our gmail account.

    We had to change all passwords to everything. We have no idea how, but at the time gmail had some hacking issues. Nothing to do with philshing etc.

    As a matter of fact just last month we realized two of our sites were on WHOis for the hacker. Got it taken care of but still scary!!!.

    Tina
  • Profile picture of the author Kirk Ward
    Kirk Ward
    Wow Tina,

    That sounds like a real pain in the gazitchka!

    I've used the same hosting company for eleven or twelve years now, and while I know they're a little bit overpriced on domain registration, I am on a first name basis with most of the folks there and have no fears that any problem will be taken care of.

    Luckily they are not a tiny local firm.

    I guess we learn over time ... hopefully not too expensive for each lesson.

    Cheers
    Originally Posted by Tina M. Rideout View Post
    Dave and I had ours attacked about this time last year. A mess for sure. They totally wiped out our accounts. Paypal gave us our monies back, but that was the least of our worries. Dave had to borrow money to get his bank payed off for all the overdraft fees, which I believe his bank refused to refund.

    The worst part -- they took our domain names - and played havic with our hosting etc. from info they had via paypal account history and our gmail account.

    We had to change all passwords to everything. We have no idea how, but at the time gmail had some hacking issues. Nothing to do with philshing etc.

    As a matter of fact just last month we realized two of our sites were on WHOis for the hacker. Got it taken care of but still scary!!!.

    Tina
  • Profile picture of the author Kirk Ward
    Kirk Ward
    I have finally figured out where I blew it.

    I posted a project on Rentacoder. I sent a pdf of screen prints of a login to a site I wanted to emulate. I was stupid enough to print the screen shot after I had entered my login data.

    Any one of the rejected coders would have had the login information if they evaluated the job before they bid on it.

    That was just plain dumb ... and reminds me to always set my web forms to place *'s in the text box when a password is asked for.

    Or else, not try to copy someone else's cutting edge work.

    Cheers
  • Profile picture of the author marketing1012
    marketing1012
    Far out thats scary as, I watched a documentary on hackers, scary stuff man!
  • Profile picture of the author jerodrx
    jerodrx
    Hi Kirk,

    I use Roboform for everything, but there are two password that i dont store in
    Roboform, and i only use that paswords from my very own internet connection in
    my house or office, that two password are my Paypal account and my online banking.

    I don't know if is really possible that someone can steal your passwords from
    Roboform but i dont want to put in risk my financial information.

    And other thing is that when i'm gonna use my Paypal Account i dont use my
    PC keyboard i use the 'keyword on screen' feature on windows, because i read in
    a pc security forum that some viruses or cookies can read what are you typing on
    your keyboard, but they can't read anything is you use your mouse and the
    keyword on screen.

Related discussions