You are viewing the PayPal Community Archives. This content may be old or outdated. Leave the Archive
Chat with our moderator team every Wednesday between 1-2pm PT (4-5pm ET). Learn more in Community Events
I'm extremely disappointed. Someone else has set up a paypal account with my gmail address. I contacted Paypal customer service and they have told me there is nothing they can do about it. This is ridiculous.
I have a paypal account under my gmail address, and this other person has used the exact same account, omitting a period (which is still my account - gmail doesn't recognize periods, and does not allow two accounts to be set up with the same name). Because of the lack of the period, this has allowed paypal to create another account - because otherwise it would be stopped, because you can't have two paypal accounts on the one email address.
But regardless - paypal understand that someone has falsely used my email address, and they won't do anything about it. They are sending me emails, with no authorization to do so. I have not verified my email address.
Extremely disappointed, and expect someone to take some action. Please contact me by email Paypal. Under the Can-Spam law you are required to give me a method to stop receiving emails from you, and you have failed to do so.
I recently had the same problem. Someone used my gmail to open a EBay & Paypal account yet nothing done about it. Thanks to Yahoo breech in security this happened. This is completely ridiculous. PayPal needs to take care of these security problems before they get worse.
(To summarize the problem for other searchers: since Gmail sends "joe.user @ gmail.com" and "joeuser @ gmail.com" and "j.o.e.user @ gmail.com" to the same person, whoever registers with the first variant (the "earlier" user) will get all email correspondence for all other future users who accidentally register with a variant of the early user's Gmail address (the "later" user))
Unfortunately, unless PayPal intervenes with a solution (by not allowing registration of any variation of period/non-period Gmail addresses once one variant is claimed and verified), the only way to manage this yourself is proactive - claiming and assigning the other variations (at least the common ones) to your PayPal account in advance. But most users won't find out about this problem until they have it.
Because additional information is needed to reset the password for the other account, and the prompts for that information obscure the alternate contact information for the other user (which is good), there is no way to reach out to the other user to let them know that their email address isn't what they think it is - unless that other email address is Googlable enough to find out enough information to try to contact the other user via other means.
PayPal, this is a subtle yet significant problem. The earlier user will continue to receive communications that they cannot stop. The later user's configuration is broken, and won't be able to use that email address to verify or manage their PayPal account - and some of that later user's information, potentially personally identifiable information (PII) is regularly leaking to the earlier user.
Thanks for taking the time to write this feedback. I'm passing this along to the appropriate team within PayPal.
Ignoring period characters (and +) in emails is not technically part of the email standards so the concern would be if a company needs to start maintaining multiple separate rules for different email domains based on whether that email provider wants to ignore certain characters in their email addresses.
Based on Google's documentation, they choose to ignore the period character so that others cannot register an email address that looks like your email address. Makes sense but this can also be a slippery slope. If we start ignoring period characters in emails, what if malicious actors start using underscores instead? Then we start ignoring underscores and they switch to using asterisks. And so on. Kind of defeats the purpose of having a standard.
But with gmail being the most used email provider, companies should definitely consider how Google's unique policies may have an impact on the customer experience, security and privacy. Speaking for only myself, I agree that there should be special considerations to help avoid the situation you described.
I can't guarantee this will be changed but I'll certainly make sure we get this feedback to the right people.
Frank, thanks for the thoughtful reply and for forwarding in hope of maybe making an exception.
The only chime-in that I'd like to make is that plus signs (+) are a bit different. Unlike ignoring periods, which seems to be a Gmail-specific thing, subaddressing is quite widespread on major platforms, including Sendmail, Gmail, and others. Sendmail has supported subaddressing for over 20 years, as far as I know. And while not strictly required for compliance with SMTP RFC 5321, subaddressing does have its own RFC (5233) which captures real-world use, so it's not a standards-free usage.
And whether or not subaddressing is standards-based or not is, as you point out, sort of a separate issue. PayPal customers are unable to prevent third parties from even preliminarily associating an email address that they do not control with their own PayPal account. I filed bugs for both the dot problem and the plus problem this morning, but both have been marked as unactionable, on the assertion that fraud detection algorithms would almost certainly catch any actual attempts to fraudulently use the mis-association.
While I'm sure that this is largely true, it nevertheless remains counterintuitive for users to receive emails from PayPal that are clearly not intended for them ... forever, without recourse. Not all problems need to be fraud-inducing to be worthy of love. It also seems worrying that even though someone else has associated "firstlast @ gmail.com" with their PayPal account (such that if I try to add that add "firstlast @ gmail.com" to my own account it is denied), I can cheerfully add "firstlast+bogusthing1 @ gmail.com", "firstlast+bogusthing2 @ gmail.com", etc. without being denied.
Update: forgot to mention that those not-for-me emails may have sensitive information in them. When I discovered this issue for the first time this morning, it was when I got an email intended for my alter ego, notifying them that PayPal's "One Touch" had been enabled for their phone, with specific information about what kind of phone they have (which is none of my business, and something that I would rather not know). And since their email address used is shown in the email, an unscrupulous third party could also use the password-reset interface to collect that user's partial phone number, etc. and start to stitch a number of things together for naughty purposes. Just because I can't think of a way to abuse it doesn't mean that a more motivated and resourced threat actor couldn't. And this was all sent to an email address that they never proved to PayPal that they control.