This was passed along by Schlock Mercenary’s Howard Tayler — with one caveat… please don’t contact him for more information about the situation. Answering questions and releasing additional information would only leave him open for further security breaches. I’m extremely thankful to him for sharing his story.

Sandra and I got off our 4-hour flight back from Atlanta, and Sandra checked her email. There were 20 Paypal notifications indicating she’d been shopping. Specifically, she’d beeing buying postage at between $130 and $200 a pop.

We immediately knew we’d been hacked, but were unsure of the extent of the damage. The potential damage was pretty great because we have one of our bank accounts and one of our credit cards linked to PayPal. (We can debate the wisdom of this later. Obviously Sandra and I are debating the wisdom of it first thing in the morning.)

We opted for division of labor: I collected luggage, Sandra called PayPal customer support. I hauled everything to the car, she waited on hold. I drove, she waited on hold some more. By the time we cleared Point of the Mountain (35 minutes or so into the trek home) the support folks at PayPal had 1) frozen the account, 2) admitted that this was obviously a hack, not us spending money, and 3) agreed to refund any withdrawals used to cover charges.

We didn’t have any of our account numbers handy, but Sandra was able to confirm our legitimacy over the phone with the linked credit card number, our home phone, and the last four digits of my SSN. That happened very early in the call, before going on hold. 

While Sandra was on hold, I went ahead and called our bank and prepared to freeze all our accounts. Again, I didn’t have the account numbers memorized, but my debit card number and the last four digits of my SSN seemed to be proof enough. They got a security tech on the phone, he and I were literally seconds from pulling the trigger, and then PayPal picked up again. 

I told the bank security guy to wait, and told him WHY he was waiting. He was very accommodating. Sandra got word from the PayPal tech that based on their information, the hack did NOT expose our credit card account or bank account information to direct attack. They locked the PayPal account, agreed to refund money, and promised to follow up with us.

I got the bank guy back on the phone, and explained the situation to him. He agreed that our account should be safe, but he also flagged it so that any activity at all is going to raise some suspicion. There will be follow-ups later.

All of the hack transactions took place in a 30-minute window, and all of them bought USPS postage through PayPal’s postage printing engine. By the time we were off the plane checking email, the attack was three hours old. 

We got lucky. This could have been much, much worse. 

So: the convenience of bank-to-PayPal transfers? Probably not worth it anymore. Same with credit cards.

Also, it’s probably a good idea to have a little sheet of paper with some mysterious numbers on it in your wallet, or maybe a memo in your phone, something so you can quickly confirm your identity to a security rep at the bank, PayPal, or the credit card company.

Final advice: if your bluetooth earpiece isn’t working, and you decide you don’t care because you don’t like driving around looking like a total douche, know that there may come a time on the freeway when you really wish you could look like a legal, headset douche instead of a talking-on-his-cellphone douche because this particular call is really, really important.