Happened to me a while back also (by the time I had reported it to PayPal, and they had frozen my account, I think about 2 to 3 transactions had gone through). All refunded in due course.
I had an 8 character random password on my account. They may have just guessed this, or, another site where I also use this same password got compromised, and they were able to associate my email address with that password. These are the only two logical explanations I can think of.
Which is why it is:
1) a good idea to have a different password for every website you have an account with. Hard to maintain, so might be better to hash the website name (www.foo.com) to a 5 or 6 character string and then pre/postfix this with your static fixed password making a unique password for each site (I read this somewhere, not my idea originally).
2) advisable to use more characters, and more variety of characters. Looking back, my 8 characters were all lower case, and only letters. Although completely random, and not based on any dictionary word, it's still crackable.
3) worth checking if the website you register with, when you follow their password recovery process, emails you your password, or can reveal to you what it is currently set to. If they can do this, it means they are storing it plain text and not hashed so if their user information becomes compromised, your password will have been too. All sites should store passwords via hashing only, and no site should be able to tell you what your password is/was.
Edited by mixt (Tue 27-Mar-12 18:09:13)