As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options

My Paypal was hacked...how?

RaqieRaqie Registered User regular
edited June 2009 in Help / Advice Forum
Someone got into my Paypal account a couple days ago and treated them self to a couple of payments that added up to $700.

This was charged onto my credit card and luckily my credit card company won't make me liable for the charges.

I changed my password on the account and deleted the credit card. Paypal won't let me delete my bank account yet because my account is locked down since they believe a "third-party" might have accessed my account.

There are only 2 ways I could see this happening:
1) Paypal security sucks and someone tried various combinations until they had a hit. My password wasn't anything obvious but it was all letters. I thought paypal denied access after a certain number of attempts though...
2) I have used this password for other sites. Pretty much any site related to money I have a more secure password for but somehow Paypal still had my original password. I don't sign up for anything sketchy really but is it possible someone took my e-mail/password combination and tried it on paypal? What is the likelihood of that? Don't most sites have the passwords encrypted so not even the site owner has access to them?

From now on I plan to be more careful and not use the same password for multiple things but I'm just curious to know how this happened.

Anyone have any ideas?

Raqie on

Posts

  • Options
    xeviqxeviq Registered User regular
    edited June 2009
    Are you sure you weren't Phished?

    xeviq on
  • Options
    PeregrineFalconPeregrineFalcon Registered User regular
    edited June 2009
    3) You got spywarez'd and someone keylogged it.

    4) All letters? Seriously? Throw some numbers and a punctuation mark in there.

    PeregrineFalcon on
    Looking for a DX:HR OnLive code for my kid brother.
    Can trade TF2 items or whatever else you're interested in. PM me.
  • Options
    RaqieRaqie Registered User regular
    edited June 2009
    I've never given out my password to anyone posing as Paypal or anything like that.

    Raqie on
  • Options
    PeregrineFalconPeregrineFalcon Registered User regular
    edited June 2009
    Raqie wrote: »
    I've never given out my password to anyone posing as Paypal or anything like that.

    Have you ever entered a wrong password?
    Have you ever had the PayPal login screen time out?

    If so, either of those could be a scam site using a coverup to the fact they just poached your password.

    PeregrineFalcon on
    Looking for a DX:HR OnLive code for my kid brother.
    Can trade TF2 items or whatever else you're interested in. PM me.
  • Options
    RaqieRaqie Registered User regular
    edited June 2009
    As for spyware: I've only ever logged onto paypal on my home computer which is secure and checked regularly for that sort of thing.

    Raqie on
  • Options
    RaqieRaqie Registered User regular
    edited June 2009
    Raqie wrote: »
    I've never given out my password to anyone posing as Paypal or anything like that.

    Have you ever entered a wrong password?
    Have you ever had the PayPal login screen time out?

    If so, either of those could be a scam site using a coverup to the fact they just poached your password.


    No and no. Actually I hadn't logged into paypal in months until this happened. When I log in I only do so directly from paypal.com.

    Raqie on
  • Options
    Dinosaur Equals GasDinosaur Equals Gas Registered User regular
    edited June 2009
    Sounds like one of the sites you use that same password on was compromised. They might have said "Hey, I wonder if his PayPal password is the same for this site." Which it was. It's good to see that you use a more secure password for almost all of your sites based on money, but it's usually a good idea to throw a bit of variation into it.

    Some people will use the name of the site in their password, such as for chase it would be "20rh23Chase". But that isn't really a good idea since if I was able to get your password for Digg and it was "20rh23Digg" I would assume you use the site name and would be able to guess it for Chase. However if you were to associate the site chase with something like the reason you opened the account, maybe the first job you had that required you to deposit money was target you could do "20rh23Target" that would throw people off and on Digg let's say you associate it with Kevin Rose, you could do "20rh23KRose".

    Sure some people could guess what you associate it with but it would be a lot harder to guess for each site.

    Dinosaur Equals Gas on
Sign In or Register to comment.