Paypal sent an email addressing me with one of my old passwords as my name

Question

I got this email from service@intl.paypal.com, with the title:

Your account has been limited until we hear from you.

I think this is a scam / spoof email because I don't see any notification in my Paypal account and this is Hotmail account is not used as my Paypal login. (It used to be not any more for more than a year.)

But the troubling thing is, the TO: field has my old password as my name, then my email in brackets. A screenshot below should clarify what I'm saying. I've blurred my email and the two red arrows are pointing to what was my old password in plain text.

Is there anything I could do to protect myself? Does that mean the sender has me under their "contact book" with my name as my password? I have already forwarded the email to spoof@paypal.com.

enter image description here

Looks like a sloppy phisher has done you a huge favor by notifying you. — Digital Chris, May 05 '14 at 15:20
Is your old password a common phrase or name? It might just be a coincidence. — Kami, May 06 '14 at 14:21
You might want to run your email through https://haveibeenpwned.com/ — Bobson, May 06 '14 at 19:16
Paypal doesn't start their emails with 'dear customer', but with your full name. They know your name, you provided it to them. The spammer/scammer probably doesn't know your full name. — , May 05 '14 at 20:09
Proceed with caution here. Also, you can view the link address in the email and then check the certificate at that site. If it's not valid or is different than a paypal site certificate, then this is most certainly a phishing attempt. You should report this to paypal so others are not scammed. — jcpennypincher, May 05 '14 at 23:29
I don't know how the spoofer obtained your password, but It should not have been from PayPal. Even PayPal should not know your password. When you open an account and set a password the password is mangled to create a string which is stored in the database. When you log in again the password you enter in the web form is mangled again using the same algorithm, and this compared with the string stored in the database. The string stored in the database is created using an irreversible algorithm so that while the string can be created from the password, the password cannot be created from the strin — , May 06 '14 at 17:46
Always assume it is spam as there is alot of spam pretending to be from both eBay and PayPal. Open a browser seperatly and type in the Paypal address, the correct one not one on the email and never ever click on the email. If there are any problems you will see that when you login. If you think you have been hacked in anyway always change your password. It takes seconds and can save hours or days of pain. — indofraiser, May 06 '14 at 13:18
@DigitalChris, they certainly have! But I already knew that password was probably leaked into the wild during the heartbleed bug was announced. — apertur, May 19 '14 at 12:43
@Leo, thanks for explaining that, I didn't know the intricate details! — apertur, May 19 '14 at 12:43
@jcpennypincher, I already forwarded the email the moment I received it to spoof@paypal.com — apertur, May 19 '14 at 12:44
@QuoraFeans, Yeah unfortunately I do. I've started using lastpass since the heartbleed bug. — apertur, May 19 '14 at 12:45
@Bobson, I am only positive on the adobe leak. good site, thanks. — apertur, May 19 '14 at 12:46

score 57 · Accepted Answer · answered May 05 '14 at 11:57

57

It seems like the spammer got your personal information including your password through a security breach somewhere. Why did they use your password instead of your name? I would say it was an honest mistake on their side. They just mixed up the fields when designing the spam mail.

When you are still using the password somewhere, you should change it ASAP. In the future you should avoid using the same password for different services. Data breaches become more and more frequent, and they even hit larger companies which really should know how to secure their systems. Using a password manager like KeePass can help you to manage all the different passwords.

answered May 05 '14 at 11:57

Philipp

48,867
8
127
157

38

"honest" mistake from a spammer? I didn't know there was anything honest about those people. – corsiKa May 05 '14 at 21:05
3

He meant the fact that the password was sent as the name was an "honest mistake" on their end. – Ninjakreborn May 06 '14 at 03:05
5

This is not a spammer, but a scammer. – Quora Feans May 06 '14 at 18:24
6

@corsiKa _TODO:_ Start a "spam" business where we download data breaches and notify the users included in them along with their included personal information because some people aren't bright enough to notice the severity of the situation. Then we'll be the good guys – Cole Tobin May 07 '14 at 01:05
I wonder what the point of the phishing email is, if they already knew the password? – Falcon Momot May 08 '14 at 05:30
They probably used a database and mixed up the columns when automaticly filling in the blanks in the phishing mail. – BlueCacti May 08 '14 at 07:24
1

@FalconMomot As the OP said, the password was old. They wanted to update their database with the new one. – Philipp May 08 '14 at 07:30
3

@ColeJohnson I like the sarcasm, ironically such legitimate businesses already exist e.g. [LifeLock](http://www.lifelock.com) in the US and [Garlik](http://www.garlik.com) in the UK to name just two examples – RobV May 08 '14 at 09:16

score 26 · Answer 2 · edited Mar 17 '17 at 10:46

As the answer by phillipp stated, there is a good chance they got your password from some form of security breach. I doubt that they would have obtained that through Paypal's system. It could have happened in one of the following ways, to name a few (with tips on how to protect yourself from each one).

At some point you could have accessed a fake PayPal website, via an external source. Perhaps you clicked a link in an email and didn't check the URL and put your Username/Password (old one) into a fake site which recorded your information. Then perhaps they were trying to obtain updated information from you, and made a mistake on their spammer with your password as your username. This might be explained by you possibly putting your "password" into the username field when you went to this fake site, by mistake. That is one possibility. To protect against this ALWAYS check for https://www.paypal.com as the login URL at the top. Anything else would be fake. Also you can always type it in directly instead of following any In-email links to be safe. As per the comment, the Heart bleed issue could also be the explanation. However, as a side note.. from what I read, PayPal was not affected by this bug. I checked and verified this from several sources.
You could have a trojan or keylogger on your computer (or had one in there at the time of entering). Again you could have accidentally entered your password as your username so the keylogger could have detected it wrong, or just could have gotten them mixed up when they submitted it to an external source. Just make sure you have strong virus scanning software to protect against this.
Internet explorer is another possible culprit. I have read a lot lately where they were telling everyone not to use IE anymore, as it had a huge security vulnerability. If you used IE for this in the past, that could have been another possible cause.

These are three possible situations.

Someone in the comments requested for me to provide resources in regards to the IE security vunerability. A google search for the term "IE Security Vunerability" will return some results.

Also the following link has some details pertaining to the specific security issue that I am speaking about in this answer.

http://www.cnet.com/news/stop-using-ie-until-bug-is-fixed-says-us/

http://www.reuters.com/article/2014/04/28/us-cybersecurity-microsoft-browser-idUSBREA3Q0PB20140428

http://www.geekwire.com/2014/u-s-government-advises-everyone-stop-using-internet-explorer-security-hole-surfaces/

Other sources can also be found by performing similar searches on Google, and other major search engines.

Expanding on point `1.`. In light of the recent heartbleed bug(not sure how effected paypal was), an attacker may have been able to spoof the paypal SSL certificate. — Cruncher, May 05 '14 at 15:04
4. Password re-use for an account with this email address on any other website/forum which was breached and didn't have anything to do with paypal. — nvuono, May 05 '14 at 21:14
@Cruncher, I just wanted to point out that spoofing the PayPal certificate would be an extreme measure for an attacker. There are much more probable ways they could have exploited HeartBleed to gain the password. — David Houde, May 05 '14 at 22:46
@DavidHoude I was mainly alluding to `To protect against this ALWAYS check for https://www.paypal.com as the login URL at the top` which wouldn't have been enough had the ssl certificate leaked. And in general, point `1.` was about visiting a fake paypal site. (The point doesn't matter anymore anyway. OP confirmed that paypal was not effected) — Cruncher, May 06 '14 at 13:08
@Cruncher According to paypal, [your account is secure](https://www.paypal-community.com/t5/PayPal-Forward/OpenSSL-Heartbleed-Bug-PayPal-Account-Holders-are-Secure/ba-p/797568). They even say `4) There is no need to change your password` which implies it was never stolen from paypal.. — Jon, May 06 '14 at 21:27
I'm skeptical about #3. Can you please post some sources for the claim that IE has serious security vulnerabilities? — Kevin, May 07 '14 at 00:29
@Kevin I have edited my original answer above. I have added 3 major sources for #3, and explained how further sources can also be found. — Ninjakreborn, May 07 '14 at 01:09
Thanks. Notice that Microsoft has released a patch: https://technet.microsoft.com/library/security/ms14-may.aspx — Kevin, May 07 '14 at 04:06
Hi @Ninjakreborn, thanks for your answer. I have not clicked on any links to paypal, so I don't think it's 1. I'm on a mac and I am unsure how I could confirm 100% that I don't have a keylogger, but I don't think so..., and lastly, I use firefox so that shouldn't be the problem. — apertur, May 19 '14 at 12:49

score 1 · Answer 3 · answered May 06 '14 at 22:13

"Is there anything I could do to protect myself?"
Change your passwords! Good grief, in the midst of debating the what and how of this scam, someone has suggested that you're safe, and don't need to change your PayPal password. I really hope that was the first thing you did, way before posting here.

Passwords are like underwear: Change them regularly whether you need to or not.

The passwords on your PayPal and email accounts should definitely be considered compromised. In fact, in light of Heartbleed, all your passwords should be changed--and there will always be another Heartbleed. We were just lucky to find out about this one. You were lucky enough to get notice from some crooks that they were fixin to rip you off.

Meanwhile, learn how to examine email headers to find out the sender's real address. Good, clear instructions can be found here .

Yes I have changed all passwords way before I even considered posting here. I just wanted to learn more about the situation. — apertur, May 19 '14 at 12:50

score 0 · Answer 4 · answered Oct 06 '20 at 23:37

Quite sure there was a breach on Epsilon's side, the data handler for PayPal I believe. This was quite a while ago though since I cant remember what data was leaked. I am not sure if it is related to that, or a breach from another site with a shared password. What you should do is if you didn't format your PC since you used that password you should format your PC and then change the passwords after. Make sure any backups are clean from malware too. At this point it is hard to know if the breach is from malware or a data leak, but since you are opening such emails it could be malware, I would recommend checking about the XSS attacks that can be used via tracking pixels, as you are using outlook you should be using view source and looking at headers before even deciding if the email should be opened.

Paypal sent an email addressing me with one of my old passwords as my name

4 Answers4