There are actually a number of ways something [like this] could happen as there are a variety of ways that the PayPal system is vulnerable to hackers and hacking - especially since they rely on email addresses (and allow email addresses from places like Gmail, Hotmail, Yahoo, etc - all places that have experienced hacking in the past) for log-ins.
For one example, certain Gmail users including myself ran into a situation about a year or so ago where their email accounts got hacked into through some undisclosed backdoor-vulnerability means. For some of the unlucky users whose email accounts were their primary accounts where they stored or had all sorts of important and private information sent to them, their bank accounts, PayPal accounts, and other online service accounts got hacked into as well.
Lucky for me, the email addresses that got slammed (yes, multiple) were all defunct and were all addresses I never associated with anything important (suspiciously, though, is that they were all associated with LiveJournal). Not so lucky for a friend of mine, his online banking got compromised along with his PayPal account and his webhosting account along with domain name services were similarly compromised - OWCH.
On a social networking site like LiveJournal which has gotten compromised in the past and with all the communities around (like this one) where PayPal and personal information flows fairly readily (email addresses, zipcodes, sometimes addresses and names, etc), the risk of being hacked is increased as PayPal uses email addresses for its method of log-in.
So how to help prevent such a thing from happening?
1) CHANGE your PayPal password to something that is not associated with any other service you use online (especially LiveJournal or your email addresses!) and use a combination of letters, numbers, and upper and lowercase.
2) CHANGE the password on your email address (if you have already been affected)
3) CHANGE your PayPal's email address to something that is PayPal-exclusive and give it a password not associated with PayPal or anything else
4) ACTIVATE THE SECURITY KEY OPTION on PayPal. Go to your Profile and then click My Settings and from there, update your Security Settings feature. This feature may or may not be available to all PayPal users as one of the options involves text messaging from a US-based center/number. Also, please understand that if you DO enable that feature, you will be texted a security key each time you want to log in and that could cost you money depending on how your mobile service handles texting. Thank you to couchpotatonet for the tip!
5) SCAN your computer for viruses and related things in case the reason for hacking is because of a keylogger
6) BE CAREFUL OF WHERE YOU POST your PayPal information
7) USE ADD-ONS for your web browser if applicable like Ad-Block and NoScript when browsing the general internet to help filter out potentially malicious scripts. As the 'net becomes more and more advanced, it becomes easier and easier to sneak in scripting. Be warned: Even innocent places can be a carrier for a virus which is why it is important to keep your antivirus updated. Thank you to __sasami__ for the reminder!
For those of you who have gotten hit with the PayPal hacking, I would suggest checking your email account and its settings (especially the settings which allows access to the email account outside of the webpage) to make sure it hasn't been compromised as well.
Of course, preventing the problem is partially dependant on how the hacking occurred in the first place. In this case, besides the obvious (like not posting your PayPal information and password together), a good measure of prevention involves simply closing off as many loopholes as possible.
But how many loopholes can you close without making things overly complicated?
Is it worth it to even attempt to close some of these loopholes?
In a community like this one, what can be done to increase security? Make sure that all posts that require disclosure of personal information (including PayPal-related information) be community-locked?
Back to the question on whether or not it is worth it to try and keep everything as secure as possible, below are some potential ramifications of having one's PayPal account (or even just a primary email address) hacked.
Depending on the nature of the hacking, a hacked PayPal account can result in:
- Money lost owing to fraudulent transactions (either temporarily or permanently)
- Depending on HOW much money lost and how the fraudulent transactions are processed, issues like overdraft and overcharging on a credit card could occur (banks and credit cards normally will not hold the user liable, buuut...)
- PayPal account/email address being blacklisted by sellers/whoever had the misfortune of having a fraudulent transaction initiated from the hacked account
- Personal information (full name, all possible addresses, phone numbers) being stolen
- Personal information being used for identity theft purposes
- Credit card information being stolen (partial credit card number, expiration date, type of card)
- Credit card information potentially being further hacked into
- Transaction list being mined/exploited (grabbing the list of most recent transactions which then reveals full names and PayPal addresses)
All of this might sound like an exaggeration or an extreme possibility, but why else would someone want to hack into a PayPal account or email address? Obviously there's important information there that they want and just as obviously, since it isn't their account, doing a lot of damage to it won't matter.
Also, some banks and some credit card companies - as much as they say they protect you on fraudulent charges - are able to wrangle their way around what is considered a fraudulent charge. If you catch the fraudulent charge(s) early, it is a lot easier to tell the company, "Whoa! -I- didn't initiate that charge!" If it is caught later, the company might go, "Okay... so why did you wait until NOW to notify us?" Furthermore, even if the companies are perfectly reasonable, there IS still the whole mess to deal with involving straightening everything out which can involve trips to the bank and phone calls to the credit card companies.
And how about potential identity theft?
THAT, in and of itself, is a pain to deal with and could have far-reaching consequences including long-term impacts on your credit report.
Speaking of which...
If an account has already been compromised, there are a few actions I sincerely recommend taking:
Treat the situation as if you lost your wallet:
- Close out your PayPal account and open a new one whose log-in information is unique to that account and that account only
- If applicable, place a Fraud Alert on your credit reports through the credit bureaus available in your country
- Alert your credit card companies and/or bank about the problem; depending on your credit lender and/or banking institution, they might suggest canceling all the old accounts and getting new accounts
To those of you who have had their accounts hacked, I'm really really sorry to hear about it and I hope the situation gets resolved soon with as few problems as possible!