I find it ironic that as the author of E-Privacy, my own personal PayPal account got hacked into over the weekend. Needless to say, I was robbed of more than $300. I understand the humor here so please take a moment to laugh. Done? Good, now let's learn from this unfortunate event.
After speaking at length with the security people at both PayPal and my bank, I have a pretty good picture of how the thieves pilfered my account. My account was the victim of a brute force attack. From what I've learned, the thieves used this method to attack multiple random accounts until access was granted. Once access was granted, the thieves would steal a small sum of money in the hopes of having hacked a corporate account, where the absence of such small sums often goes unnoticed. At the time, my password was eight characters long and a mixture of various alphanumeric characters. I thought a password of this strength was fairly safe seeing as how the code to launch nuclear weapons in the movie WarGames was only ten characters. (Let's pray the government sees this article and ups their nuclear warhead codes to at least 128-bit encryption!)
Saturday morning I received several emails from PayPal confirming that my "donation to Africa" had been processed. At first, I thought this was just your typical phishing scam. However, as a matter of practice, I manually logged into my accounts (as opposed to clicking the links in the emails - never do that) to verify my money was safe. It was not. The money actually was removed from my bank account via PayPal and transferred out of the country.
Even after taking all possible precautions, I was still vulnerable. At this point, the only thing left to do was to create longer and more difficult passwords and disassociate my bank account with PayPal (at least temporarily). The good news is I will get my money back. The bad news is...the hassle just sucks.