Had my paypal account hacked

Fr0dders

Fr0dders

Fr0dders

Caporegime
Joined
18 Oct 2002
Posts
33,467
Location
West Yorks
Was sat at work today and i received a notification on my iphone that i'd made a paypal payment for rapidshare. Bit of a supprise to me considering that i was at work in a GP practice at the time in front of a computer that wouldnt even boot, so my ability to purchase rapidshare access was somewhat questionable.

Ive not used paypal in years, except for last month when i bought some brushes from a well known seller on detailingworld (envy valeting).

Is it quite common to have your paypal account hacked ? ive filed a dispute with paypal, but im worried that i'll never see my £50 again. Needless to say ive changed my paypal password and removed all cards from my paypal account.

Rather more worrying was that my paypal and my e-mail password were the same, and the person logged into my gmail account and deleted the confirmatikon e-mails that alerted me to the fraud !! thank heavens for mobile e-mail on the iphone or i would never have seen them.
 
You used the same passwords? That's a sin in a geeks' book. If it was taken out of a credit card then notify your issuer and see if they can fight your case.
 
That's bad news, hope Paypal can sort things out for you !

Quite fortunate he didn't change any of the passwords I guess, but I guess that was his/her point to keep up the deception.
 
Ricochet J said:
You used the same passwords? That's a sin in a geeks' book. If it was taken out of a credit card then notify your issuer and see if they can fight your case.
Click to expand...

Halifax say that as it was a debit card transaction, as such it cant be cancelled.

If it was a credit card transaction it would be different, but the brushes were only £7 so i just used my debit card.

i know the sins of having the same passwords, but in this day and age of online banking and on-line shopping, can you have a different password for the 20 or 30 websites you register with ?
 
MrLOL said:
Halifax say that as it was a debit card transaction, as such it cant be cancelled.
Click to expand...

Halifax are lieing, or the person you spoke to dos'nt know what they are talking about. Theft/fraud, debit/credit it dos'nt matter, it can be cancelled and should have been done as soon as you reported it to them and paypal.
 
Had my debit payments held at the pending stage when my cards got swiped when we were burgled. 14 days later the expiry hit and the payments never left the account. The fraud department held them as I was away without me even realising.

I guess about 7 visits to separate petrol stations and getting max cashback really got their alarm bells going.
 
msm722 said:
Check your machine for viruses.
Click to expand...

Bit useless if the scammer had used a link-jack (i.e an invisible layered button on top of a close button on a spam / ad banner that runs a script when clicked).

No infection, but because the script ran it collected the cookies from the PayPal and Gmail login and essentially used them to gain access to the OPs account without the need for a malicious piece of software. I'm assuming MrLOL didn't log out of the PayPal / Gmail session and just closed the browser, without clearing the cookies.

Download a "no script" plugin for Firefox, change your passwords and clear all private data from the browser before doing anything more.
 
EVH said:
Bit useless if the scammer had used a link-jack (i.e an invisible layered button on top of a close button on a spam / ad banner that runs a script when clicked).

No infection, but because the script ran it collected the cookies from the PayPal and Gmail login and essentially used them to gain access to the OPs account without the need for a malicious piece of software. I'm assuming MrLOL didn't log out of the PayPal / Gmail session and just closed the browser, without clearing the cookies.

Download a "no script" plugin for Firefox, change your passwords and clear all private data from the browser before doing anything more.
Click to expand...

But not useless if he has one.
 
MrLOL said:
i know the sins of having the same passwords, but in this day and age of online banking and on-line shopping, can you have a different password for the 20 or 30 websites you register with ?
Click to expand...
You could do something like insert the first and last letters of the given domain name at points in the common password, at a minimum

But really OpenID needs to take off now :/
 
I prefer to use a short memorable combination for web passwords, and a beast for Wi-Fi etc.

E.g. "Q}LQz&_tKs?*s74hxhJ'"x~;P=_@Di+3{s5$^V#<j<ZSC{Qq@^^>CYP4`r&+t]G"

https://www.grc.com/passwords.htm

..and yes, I printed mine out and stuck it on the back of a door in my cupboard! ha!
 
wush said:
If I had to pick, I'd rather have someone leeching my WiFi than running rampant with my credit card D:
Click to expand...

Indeed, but a shorter combination that's easier to remember e.g. "jA9829u[jT2^" would be equally as hard to crack0rz
 
EVH said:
Bit useless if the scammer had used a link-jack (i.e an invisible layered button on top of a close button on a spam / ad banner that runs a script when clicked).

No infection, but because the script ran it collected the cookies from the PayPal and Gmail login and essentially used them to gain access to the OPs account without the need for a malicious piece of software. I'm assuming MrLOL didn't log out of the PayPal / Gmail session and just closed the browser, without clearing the cookies.

Download a "no script" plugin for Firefox, change your passwords and clear all private data from the browser before doing anything more.
Click to expand...

my paypal login name *is* my e-mail address. so thats how he got that and my paypal password *was* the same as my e-mail address password. So once they got my paypal account, they got my e-mail as well

he didnt initially delete the e-mails, as i saw them. Im guessing he waited a bit, and took pot luck and found he could log into my e-mail and then deleted the confirmations. Fortunately id already seen them on my iphone so was wise.

Is it relatively easy to steal paypal cookies then ?

EVH said:
Indeed, but a shorter combination that's easier to remember e.g. "jA9829u[jT2^" would be equally as hard to crack0rz
Click to expand...

the problem here is not having a hard to crack password. He's hacked it from somewhere, presumably my cookies then used the same hacked paypal username (my google e-mail address) and paypal password (same password for my google mail) to log into my e-mail.

I guess the only solution is to have the same password, but maybe put some sort of alpha numeric l33t version of the domain name in front of the passworrd, so its different for every site.
 
Last edited:
MrLOL said:
my paypal login name *is* my e-mail address. so thats how he got that

and my paypal password *was* the same as my e-mail address password. So once they got my paypal account, they got my e-mail as well

he didnt initially delete the e-mails, as i saw them. Im guessing he waited a bit, and took pot luck and found he could log into my e-mail and then deleted the confirmations. Fortunately id already seen them on my iphone so was wise.

Is it relatively easy to steal paypal cookies then ?
Click to expand...

Let me have your IP address. ;)
 
ill take that as a yes, all i needed to know :p

but its highly unlikely my PC was hacked, im sat behind a NAT'd router with AV and firewall on.
 
So really the title of this thread is a little mis-leading.
Your Paypal account wasn't hacked.
There is nothing wrong with the security of Paypal rather the reason your account has been accessed is due to bad security and choice of passwords.
 
You must log in or register to reply here.
Back
Top Bottom