Last month right before our trip to Mexico City, I got a text message saying my PayPal account had a $11k charge and asking me if it was my authorization. I immediately replied no and verified that was a legit message from PayPal. We went onto the trip and I didn’t think of this matter in the next few days.
A week later, I noticed our checking account had a $11k withdraw from PayPal! WTF?! I called the bank immediately. They said the only thing they could do was to close my checking account and open a new one, and suggested me to contact PayPal first. Hence my month-long wrestling with PayPal began.
Before I go on to lay out my experiences with PayPal, I’ll list findings from our forensic checks of how the orders were placed without our knowledge. The result was very shocking to me.
- My checking account was charged because it was linked to my PayPal account.
- When the 11k charge happened, I got hundreds of spam emails within a few hours. Gmail blocked most of them but still more than 100 showed up in my inbox. Apparently hackers tried to overwhelm my inbox so I miss any alert emails.
- My PayPal account was linked to Wen’s eBay account before.
- Wen’s PayPal account was also linked to Wen’s eBay account, and also had 4 unauthorized charges since Aug 2023, total ~8k$. ~$4k was charged to our credit card reward points(!), which was very sneaky as reward point transactions have way less notifications and checks than usual credit card charges. The other ~$4k was charged to someone else’s card that hacker added to Wen’s PayPal.
- Wen’s eBay account was hacked and all the orders were placed there. The orders were “hided” in eBay (not sure why eBay even has such a function…) so it was harder to notice at first. Wen’s eBay account didn’t have 2FA enabled before this. So it was a weak link. At first I thought this was the “entrance” the hacker found.
- But a few days later I found Wen’s gmail was also hacked… there was a filter created in gmail to delete all emails with the words “eBay” or “PayPal”. This was why we didn’t notice any of the hack orders. Wen’s gmail apparently didn’t have 2FA enabled until Nov 2022. But she did place some order in Aug 2023 and received the emails. So the filter was created within Aug 2023, after her last legit order and before the first hack order.
- eBay support said the hacked orders were placed from our home IP.
- Wen’s Google account sessions don’t have devices or locations we don’t recognize.
- Hacker’s “entrance” was likely one of Wen’s devices that has her gmail account logged in, and/or eBay logged in.
- But at the end, I couldn’t confirm which device was hacked or how exactly the hacker took control of Wen’s accounts.
In the past few weeks I files several tickets with PayPal and had numerous calls with their support. The resolutions were really inconsistent and not transparent at all.
- For the 11k charge on my PayPal account, I filed a ticket and claimed it was an unauthorized charge. I supposed it would be an easy case, as I replied the text message immediately and told PayPal it was unauthorized when the charge happened. But I got turned around several times. The case was denied after a few days. I called support. An agent told me to change it to “item not received”. I waited more days and seller apparently provided shipping confirmations, so the case was denied again. I called the support again to reopen the ticket and I reiterated it was a hack, and the case was denied after another week… I called PayPal support again and filed a new ticket and reiterated the same information again, and it was finally refunded this time…
- I filed a ticket for the four hacked charges in Wen’s PayPal account as unauthorized access as well. To my surprise, three of them were refunded very quickly. But one smallest charge was left out and not refunded for unexplainable reason… I called PayPal support and one agent said she filed an appeal for me (essentially reopened the ticket). A few days later it came back denied again… I’ll keep argueing with PayPal support.
So in summary:
- I got ~19k back among the ~20k stolen money (including ~4k on someone else’s stolen card), not too bad…
- The hacker went away with the goods they bought. The refund I got probably came from either the seller or insurance.
- I still don’t know exactly how the accounts were hacked…