Disputing Unauthorized Transactions on Paypal

So my Paypal account was hacked at exactly 10:01am this morning. In the many years that I have been doing online transactions, I’ve gotten used to frauds and hacks but this one from Paypal (Unauthorized Transaction) is the biggest so far.

Just woken up before 10am this morning and was checking the blog when I received an email alert from Paypal (thanks to the GMail pop-up alert plugin). The heading says something like “Password Reset” so I immediately logged into my email and check what it was.

Realizing that someone tried to submit a “Forgot Password” request, I went to Paypal and logged in. After 2 failed attempts, I concluded someone got in and changed my password. But how? First came to mind was one of the email accounts attached to my Paypal account was hacked and used to reset the password.

Knowing that my GMail is still working (and is my primary Paypal account), I hurriedly went and did another password reset. Good thing I had my bank account details ready.

After being able to log back again, I found that funds were transferred to another account (that was fast! it only took him minutes). Unfortunately, it was a sizable amount.

The first thing I did was remove all the other email accounts linked to Paypal so the hacker can’t request another password change. I also changed my passwords and details.

I then filed for Dispute with Paypal. I thought this would be easy and will be resolved in my favor. Besides, I am the one claiming the transaction was un-authorized — the burden is on the recipient to prove otherwise. I had confidence it will be alright and done with.

Around 30 to 45 minutes later, I received an email from Paypal stating the transaction is valid. What? The recipient had a Non-US, Un-verified account. Paypal did not give any details why they decided against the claimant (me) and approved the transaction and closed the dispute.

There was no other way to re-open the case so I tried calling Paypal US but the Web PIN they gave me doesn’t work and I could not get thru.

Still thinking of ways to re-open that dispute. Will update once I get things cleared.

Update: Hacker got back again using password reset. They also changed my primary email so I am locked out now (it looks like they added a new email, onlinebuys@yahoo.com, and then made it primary email then deleted my email accounts). Already send an email to PayPal support, DMed @AskPaypal and tried calling the US number many times to no avail.

Update 2: I believe it was my fault that I did not immediately changed my GMail account. It was the one that was compromised although the password on the email was not changed the first time around that’s why I did not suspect the initial breach to come from there. I have since added the 2-step authentication method which also requires a PIN sent thru my mobile phone via SMS.

I also called my credit card company and asked if there were any charges passed on thru Paypal and glad that there have been none. I alerted them of the possibility though and they suggested I monitor it from time to time.

Update 3: After a few exchanges with @askpaypal over Twitter, a Paypal US rep called me last night over the phone and helped me restore my account. I have since gained back my original Paypal account. The 2 fund transfers made are also now under investigation.

Update 4: I just got an email stating that my claim for un-authorized transfer has been denied due to lack of evidence. I thought that after establishing that my account was hacked, it would have been evidence enough. I’m making an appeal.

Update 5: Both of the un-authorized transfers have now been reversed and everything is back to normal. Thanks to Paypal for the quick response and to all those who extended the help (local PR, agency, fellow tweeps and especially @askpaypal). That’s 32 hours from incident to resolution.