My Paypal account was hacked - Has your ever been hacked?

[Kirk Ward]

My PayPal Account was hacked tonight and large payments were sent. Luckily it seems PayPal caught it as there were no funds available since I transfer funds out of that bank account daily and maintain a zero balance account. Glad I learned that system from my bank loan auditing days.

Meanwhile, I had to file my first fraudulent transaction report, on top of their internal investigation.

Wondering how often this happens, and sort of wondering how the hackers figured the password. Brute force or PC keylogger? I use RoboForm rather than type my passwords ... is that easily captured or hacked?

What else can I do to protect passwords stored on my PC? I use Sunbelt Software products Vipre and Personal Firewall, and have felt reasonably comfortable with them.

Your experiences, advice and feedback will be appreciated.

Thanks,
Kirk Ward

[Odhinn]

I had my Paypal hacked about a year ago, but PP was very helpful in refunding me all of my money and setting up security and all that. It took them about two days, but during that time they blocked incoming and outgoing payments to me, which was pretty annoying.

I think you definitely need to look into your email accounts associated with the Paypal account, as that's how I assume they got in to my account as well. Fortunately, I was smart enough to change primary emails with PP when the hack occurred, but a week after, I noticed someone spamming my address book from the gmail address that had originally been used as the primary paypal.

Of course, I immediately signed up with one of those privacy protection services for my credit cards and banking info. Nothing else ever came from this though.

Lucky for me, a few changed passwords, some apology emails, and a few days with no payments coming in from Paypal, and I came out OK. All things considered, it wasn't that bad, though I was pretty stressed at the time.

[Kay King]

Often it's because someone has clicked a link in a phishing email - but I know you wouldn't do that.

Wonder how it could happen from paypal's end - interesting. I've known just a few marketers who've had this happen. It's the brighter side of Paypal's security (that sometimes cause us problems) - they seem good at catching the problem and every person I've known it to happen to did get their money back. But it's hassle to deal with.

I don't worry about roboform - but I've never been comfortable using gmail for personal info. Don't have a reason - just always felt that way. I keep all personal and financial content emails in email accounts through my isp though I use gmail for everything else.

kay

[stateless]

This is all very worrying. I wonder how it occured in all of your cases? I guess I've been lucky so far. No viruses etc and I've been wise to all phishing attempts, even though some of them are very convincing.

[Dan C. Rinnert]

You can get a PayPal security key that offers an extra layer of protection.

Interesting that they say the problem was on their end. Scary, actually.

[Chris Kent]

Sunbelt is a great firewall, I use it's predecessor: Sygate. So I'm amazed if you have had your PC compromised.

Was your old password a simple dictionary word with no numbers or symbols? It wouldn't surprise me if hackers are just using brute force, does Paypal have a number or time limit on password guesses? I don't think they do.

[Kirk Ward]

I appreciate all the feedback ... it's helpful to see what experiences others have had and what thoughts are running through their heads.

It wasn't a problem with PayPal, they caught it immediately, and although I'm sure they have more security than what I know of , it was probably because all funds go into a zero balance sweep account, or because it was from a questionable ip address.

I am pretty sure it was my fault, using the same password as with another login. Maybe some pseudo-IM membership site that gathers email address and passwords for their "membership" site and then looks to see if someone was dumb enough to use the same password for their junker research as they were for their banking.

I was.

Lesson learned, duh.

Maybe my IQ is down to where I could work for the government.

[ems82]

Hello,

It is really scary that hackers are able to hack our PP accounts with the help of email accounts.so, what do you suggest? which email accounts do you think can be safer for us? i mean, hotmail? gmail? yahoo? or, something from your domain or ISP?

Your recommendations can help many people.

[bob_sikorski]

The phishing emails get more convincing everyday. Don't forget to forward these emails to spoof@paypal.com

May I suggest you check the credit card and bank info you have listed with Paypal and look over your monthly statement. If someone does hack into your PP account and try to steal $100 and there is only $50 in your PP account, the remaining $50 is automatically deducted from your bank account or credit card.

[Kirk Ward]

I recommend using an email account from your own domain. If you have an isp you can communicate with, the password can be changed, even if they hack your domain.

My mistake was not changing my PayPal password from the one I used when I created it. I was sloppy and used the same password I use a lot for sloppy stuff. One for dangerous p[laces, and one each for all things important seems to be a bit safer.

Thanks Bob, I already done did that.

One additional point. The damage goes beyond me. I just got a phone call from a kid who received one of the payments. Seems he released his World of Warcraft character license to someone with a gmail account as soon as he saw the funds hit his Paypal account. Did you know that a World of Warcraft character license can sell for $300 or more? Jeez, I'm in the wrong business.

Cheers.

[LordXenu]

Could have happened any number of ways. phishing, keyloggers/spyware, even just plain luck. best way to avoid spyware is to NOT DOWNLOAD PIRATED SOFTWARE. I'm not saying you did, but any time I run an app that even slightly tickles me the wrong way, I do it through a virtual machine. thiss goes for all sorts of applications, including marketing software purchased on what are otherwise reputable forums. I have tinyXP installed in a virtual machine running under Sun's VirtualBox. This is all free, and should save you from the most of your spyware infections.

[JamesCallowag]

My paypal account hasn't been hacked, but my ebay account has. It was a very bizzaree experience when my account was doing all kinds of magical things i don't even know how to do, and getting charged fees i didn't even know existed. Soon I did call their customer support and worked it all out.

[edhan]

Anything to do with banking or money concerns, I write down the passwords in my diary. So, whenever I need to login, I will check with my faithful diary.

I changed passwords monthly so my diary filled with crossing of passwords.

I always believe in 'better safe than sorry'. So we ourselves need to take extra precaution to avoid things like this happening. Though some may say that it is tedious to do so but safety is always my first priority.

[Stevecyr]

Hey.. I hope none of ur money has been stolen. And 1 request for U.. wud U try going in a bit more detail so that we can protect us from being stolen?

[Kirk Ward]

Ed, I especially like the idea of frequent password changes. I have to do that on a couple of bank accounts. I'm surprised PayPal doesn't institute something similar.

Thanks,
Kirk

Quote:

Originally Posted by edhan

Anything to do with banking or money concerns, I write down the passwords in my diary. So, whenever I need to login, I will check with my faithful diary.

I changed passwords monthly so my diary filled with crossing of passwords.

I always believe in 'better safe than sorry'. So we ourselves need to take extra precaution to avoid things like this happening. Though some may say that it is tedious to do so but safety is always my first priority.

[anth.elias]

As a computer geek I know a lot of the ways that hackers get into accounts, brute force does not work on PayPal. Keyloggers are one of the main reasons you could have your account hacked into. Keyloggers are very small files less than 5kb..these are the ones that hackers use not the ones that you can buy to spy on your kids.

Not all antivirus and antispyware software programs can detect and remove the software so just because your scan came out clean don't let your guard down.

Rule of thumb to follow is never use a GMail or hotmail account for any financial user names, only use your ISP domain and don't use that email address for anything else change your password every three months-yes it's a hassle..but it's better than the alternative.

[abelacts]

I don't think it's got something to do with phishing. Mine was hacked before and I don't click on email links. And I don't think they stole your password from your email either. Somehow, how it happened really intrigued me until today. But fortunately, Paypal refunded all the funds.

[Lokesh Sharma]

Quote:

Originally Posted by abelacts

I don't think it's got something to do with phishing. Mine was hacked before and I don't click on email links. And I don't think they stole your password from your email either. Somehow, how it happened really intrigued me until today. But fortunately, Paypal refunded all the funds.

I wonder if you too used to use same passwords for all your internet acocunts as was the case with Kirk...

- Lokesh Sharma

[Tina M. Rideout]

Dave and I had ours attacked about this time last year. A mess for sure. They totally wiped out our accounts. Paypal gave us our monies back, but that was the least of our worries. Dave had to borrow money to get his bank payed off for all the overdraft fees, which I believe his bank refused to refund.

The worst part -- they took our domain names - and played havic with our hosting etc. from info they had via paypal account history and our gmail account.

We had to change all passwords to everything. We have no idea how, but at the time gmail had some hacking issues. Nothing to do with philshing etc.

As a matter of fact just last month we realized two of our sites were on WHOis for the hacker. Got it taken care of but still scary!!!.

Tina

[Kirk Ward]

Wow Tina,

That sounds like a real pain in the gazitchka!

I've used the same hosting company for eleven or twelve years now, and while I know they're a little bit overpriced on domain registration, I am on a first name basis with most of the folks there and have no fears that any problem will be taken care of.

Luckily they are not a tiny local firm.

I guess we learn over time ... hopefully not too expensive for each lesson.

Cheers

Quote:

Originally Posted by Tina M. Rideout

Dave and I had ours attacked about this time last year. A mess for sure. They totally wiped out our accounts. Paypal gave us our monies back, but that was the least of our worries. Dave had to borrow money to get his bank payed off for all the overdraft fees, which I believe his bank refused to refund.

The worst part -- they took our domain names - and played havic with our hosting etc. from info they had via paypal account history and our gmail account.

We had to change all passwords to everything. We have no idea how, but at the time gmail had some hacking issues. Nothing to do with philshing etc.

As a matter of fact just last month we realized two of our sites were on WHOis for the hacker. Got it taken care of but still scary!!!.

Tina

[Kirk Ward]

I have finally figured out where I blew it.

I posted a project on Rentacoder. I sent a pdf of screen prints of a login to a site I wanted to emulate. I was stupid enough to print the screen shot after I had entered my login data.

Any one of the rejected coders would have had the login information if they evaluated the job before they bid on it.

That was just plain dumb ... and reminds me to always set my web forms to place *'s in the text box when a password is asked for.

Or else, not try to copy someone else's cutting edge work.

Cheers

[marketing1012]

Far out thats scary as, I watched a documentary on hackers, scary stuff man!

[jerodrx]

Hi Kirk,

I use Roboform for everything, but there are two password that i dont store in
Roboform, and i only use that paswords from my very own internet connection in
my house or office, that two password are my Paypal account and my online banking.

I don't know if is really possible that someone can steal your passwords from
Roboform but i dont want to put in risk my financial information.

And other thing is that when i'm gonna use my Paypal Account i dont use my
PC keyboard i use the 'keyword on screen' feature on windows, because i read in
a pc security forum that some viruses or cookies can read what are you typing on
your keyboard, but they can't read anything is you use your mouse and the
keyword on screen.

[AlbertF]

I would say to never spread your Paypal login info. If you didn't and you got hacked, I would say it is a cause of a Spyware of some sort or some one somehow got into your account. I think Paypal can trance who logged in and help you.

[Thomas Wilkinson]

Well nuts Tina, I see that my Gmails are set on https but I can't remember
how I did that. There was a thread in here a couple of months ago on how.

[Agung Prabowo]

so spooky...... how bout using a ROBOFORM?

[sbucciarel]

Never had mine hacked but someone hacked someone else's account to purchase websites from me. They purchased 2 before the owner filed a dispute saying he didn't authorize any purchases. I honestly didn't know if it was him or he was indeed hacked, but I believe now he was hacked.

I use DLGuard to deliver my sites and it has a ban customer feature. After the two sites were "sold", I banned the customer by ip and email ... Three more attempts to buy my sites came in but were aborted.

[TorontoCarol]

Hi Kirk, nice to see you here. My daughter's paypal was hacked last year too. Big hassle, but paypal did catch it right away and fixed things up. Right after that, I got one of paypal's security keys and like using it. Not expensive and hopefully does its job.