Home >> Problematic Products >> How did a hacker get into my PayPal account?

How did a hacker get into my PayPal account?

Photo of author

Michelle Couch-Friedman

Consumer reporter and ombudsman

A few days before Christmas, Robin Shermon was shocked to learn about the PayPal Key in the most terrible way. That’s when she found that a hacker had created a PayPal Key for her and made a $2,000 purchase using her cash.

Now Robin hopes that our advocacy team can get her hard-earned money back.

Can we do it? (Note: PayPal retired the “PayPal Key” product in April 2022.)

“I don’t even know what a PayPal Key is!”

In the middle of all the hustle and bustle of the holidays, Robin woke up to several unexpected PayPal alerts.

“The first one said I had signed into an unknown device,” Robin recalled. “I had been sleeping, so I definitely had not done that.”

Curious as to what was going on, she signed into her PayPal account. She quickly noticed two more alerts. One of these congratulated her on creating a new PayPal Key; the other advised that her first purchase was pending.

Shermon continued reading through the emails and the documentation in her PayPal account with growing dread and confusion.

“Someone used ‘my’ PayPal Key and made an online purchase at the Apple store,” Robin reported. “$1,999 was pending from Apple — in Hong Kong!!”

Robin had never even heard of the PayPal Key before. So she began a swift investigation and soon realized someone had hacked her account from halfway around the world. While she slept in New York, the hacker created a virtual payment card. Using funds Robin had allowed to accrue in her PayPal account, the thief made a giant purchase in Hong Kong.

“I assume they ordered themselves a computer,” Robin surmised. “But when I called Apple, they told me the PayPal Key purchase information I had was encrypted. They could not tell who or what was purchased – even though the hacker used my money.”

Robin’s next move was to ask PayPal for help.

Unfortunately, that would prove to be an impossible mission. We’ll get to that fiasco in a moment.

But to fully understand what happened, here’s a brief explanation of the PayPal Key.

What was the PayPal Key?

The PayPal Key was a payment option offered for a short time by the money transfer company. It never became available to all users and was retired in April 2022.

A hacker created this PayPal Key — I need help!

But Robin had never asked to create a PayPal Key. So she assumed that PayPal would quickly reverse the charge and delete the virtual card from her wallet.

She was only half right.

When Robin reported that a hacker had created the PayPal Key and asked the company to help her, the agent swiftly deleted it and locked her account. She asked about the pending charges, to which the representative explained that the case was “in review.”

Robin’s frustration was growing. She wondered why the agent was unable to block what was still a pending transaction.

But within an hour, she was relieved to receive a text message from PayPal. It had declined the $2,000 fraudulent transaction.

PayPal: Apple com/HK purchase declined because you used deleted PayPal Key *****. To get a new key got to *****.

That relief was short-lived.

PayPal had deleted the hacker-created Key and declined the purchase. But then…

After receiving a follow-up text reiterating that PayPal had declined the transaction, Robin received a third notification. She could not believe her eyes as she read the announcement that paypal had now approved the purchase in Hong Kong. The deduction of the $2,000 from Robin’s account was no longer pending.

Her money was gone.

“Why did PayPal approve this fraudulent charge?

Robin went back into the resolution center. Through the chat feature, she tried to find a human to engage.


Robin to Paypal

Then a few minutes later, Robin received a new email from PayPal.

Case Closed: Transaction not covered

Thank you for reporting this case. After reviewing your case, we found that the reported transactions were not unauthorized and hence couldn’t be covered under PayPal Purchase Protection. (PayPal Resolution Center)

PayPal Resolution Center closing the case

Transactions were not unauthorized?? Shermon’s blood began to boil. She hadn’t authorized anything. PayPal approved the fraudulent Key transaction after she had repeatedly reported the crime.

MY CASE WAS JUST REJECTED. IT IS FRAUD. THIS IS SHOCKING! I need the following information for the police: What was the PayPal Key number that you authorized that allowed a hacker to make this web order?



Robin to pleading to Paypal

Except for another email repeating that PayPal considered the case closed, Robin heard nothing further from the company.

Her next stop? She headed down to her police station and filed a report of larceny. Then after finding an article online in which we covered a PayPal problem of a different nature (See: Here’s what happens when you give an iPad thief your home address), Robin’s request landed on my desk.

Asking our consumer advocacy team for assistance

Just days after Christmas, Robin read about the case of Isaac Benzadon. A thief had stolen money from his PayPal account as well (See: Someone took money from my PayPal account. How do I get it back?)

Robin hoped that we might be able to help her in the same way we helped him.

Like one of your readers in your article on PayPal, I was hacked. $2,021 was sent to Apple in Hong Kong. The hacker opened a Paypal Key and took my entire balance. I am so frustrated with Paypal and I am thrilled with the prospect of you assisting me. I still have yet to speak to a human over the phone. They claim they see no “unauthorized transactions” on my end.

When I looked over Robin’s paper trail, one thing was clear to me: She had not been speaking to any humans. There was no way a real person at PayPal would have approved this payment after her repeated reporting of the fraud.

I was sure that Robin had been “talking” to bots at all times. So it was time to ask an actual human at PayPal to take a look at this debacle.

The good news: PayPal will refund this Key charge

A real person at PayPal has always been very helpful to our team. I was sure that she would want to have a look at Robin’s dilemma.

Hi ******!

I hope you’re having a lovely holiday!

We have a PayPal customer here with an unusual problem. I haven’t encountered this “PayPal Key” before tonight. But this customer says that she got an alert that a hacker had created a PayPal Key from her account and then purchased a $2,000 item from the Apple Store in Hong Kong. She called PayPal right away and reported it as fraudulent. PayPal declined the charge two times and then, for some reason, on the third day, approved it.

Unfortunately, Robin had a cash balance in her PayPal account and this transaction drained it. It looks like she’s been dealing with chatbots and not real people at PayPal who told her that her case was rejected. She’s filed a police report and tried to get a human at PayPal to review the problem so that the Apple store in Hong Kong might be able to stop the shipment. But she has no specific information about the purchase.

Could you see if your human team could take a look at this one and find out what’s going on here? Thank you!😊

Michelle to PayPal

And the good news for Robin came quickly. After a brief investigation, the real people at PayPal saw what the chatbots could not. Their team agreed that Robin was a victim of a hacker — she had not authorized the giant purchase in Hong Kong.

The bottom line

Hi Michelle!!!! PayPal just transferred my money back to my account!!!! I cannot thank you enough. I’m so, so, so beyond grateful for all that you’ve done for me!

You were the only one that could help me!!!!

And with that, we can happily close Robin’s case as one more win for consumers!

How to protect your PayPal account from hackers

Our case files suggest that hackers love to target PayPal accounts. But, by taking a few simple precautions, you can protect yourself — and your cash — from these thieves.

  • Make sure your password is unique
    Many consumers use the same password across many sites. Thieves know this. Remember, if you use the same password and a hacker gets into one account, they’ll be able to get into many of your accounts. Your problems will be instantly magnified. If keeping track of a separate password for all your accounts sounds daunting, consider using a password manager. Those programs can do the work for you.
  • Turn on 2-step verification
    If you want an extra wall of protection between you and online predators, turn on 2-step verification in your PayPal account. Each time you sign into PayPal, you’ll receive a new, temporary six-digit code to your phone. Unless a thief also has access to your phone, 2-step verification will foil any hacker’s attempt to grab your cash.
  • Don’t leave funds in your PayPal account
    PayPal is not a bank account and you should not use it as one. The regulations that apply to money you keep inside an FDIC insured bank do not apply to balances inside your PayPal account. Although unlikely, if PayPal should suddenly go out of business, your money could go with it. The FDIC does not protect users’ balances from the risk of PayPal’s insolvency (Source: the PayPal user agreement). And don’t forget, when you leave sums of cash in your PayPal account, you’re leaving yourself vulnerable to hackers.
  • Don’t leave direct access to your primary bank account
    Guess what happens when you store your bank account information in your PayPal account and a hacker gets inside. The predator has direct access to your bank account and the results can be disastrous. The criminal can easily transfer funds from your bank account into your PayPal account and then quickly send those funds to their own account. If you frequently use PayPal to receive payments, creating a secondary (intermediary) bank account is a critical safety measure.
  • Keep a frequent eye on your PayPal account
    Infrequently monitored or dormant accounts are a hacker’s dream. Sign up for activity alerts on your PayPal account and make sure you always read them to find out when PayPal detects unusual activity on your account. But…
  • Don’t reply to activity alerts
    A frequent tactic of online predators is to send out phishing emails that look like the real thing. These emails alert you of suspicious activity in your PayPal account and ask you to reply directly to the message. When an unsuspecting account holder replies, the next screen asks them to enter their login credentials for security. Now the criminal has all the information necessary to hack into the victim’s PayPal account. Any time you receive such an email, do not reply to it. Instead, sign in to your account (not through any links in the email), and confirm what’s really going on.
  • Contact a real person at PayPal
    If you have an urgent problem and need to speak to a real person ASAP, you can use our Research Valet — Just Ask Meera. She can help you find someone at Paypal and make sure you don’t get stuck in a frustrating conversation with a chatbot who has no ability to actually help. And if that doesn’t work, you know where to find the Consumer Rescue team. 🙂 (Michelle Couch-Friedman, Consumer Rescue)
Photo of author

Michelle Couch-Friedman

Michelle Couch-Friedman is the founder and CEO of Consumer Rescue. She is a consumer advocate, ombudsman columnist, mediator, writer, and licensed psychotherapist. Michelle is a public speaker, and her expert guidance has been cited in MarketWatch, Consumer Reports, Travel & Leisure, The Wall Street Journal, Newsweek, Popular Science, CNN, CNBC, Boston Globe, CBS News, National Geographic, Travel Weekly, Reader's Digest and more. You might even catch Michelle on TV reporting on a situation. :) Michelle is also the travel ombudsman columnist for The Points Guy and is the former executive director of the nonprofit Elliott Advocacy. During her six years in that position, she resolved thousands of cases for troubled travelers and other consumers. You can read hundreds of 5-star reviews Michelle earned during her service to the nonprofit since 2016 here on Great Nonprofits. She is also a member of the Society of American Travel Writers. Today, she continues to spend as much time as possible fiercely defending consumers and traveling the world with her family. Contact her at Michelle Couch-Friedman or on Linkedin, Twitter or Facebook.