We aren't convicting them here - this isn't a court. It's just pointing out that, once again, as always:
PayPal
Not only did they screw up; but they also can't man up, tell the truth and be transparent - as usual. Shit happens. Slamming us with a denial that shit happened is implying that you aren't going to do anything about it; admitting it is a clear statement that you are not proud of it and will work to make sure it never happens again.
It's come to the point where if someone said that PayPal are responsible for climate change; I would be inclined to believe them. No matter how much they denied it.
In other words you're prejudiced and see no reason to logically validate your preconceptions?
Great, that's what we need. More people commenting who have all the answers. What if PayPal were telling the truth, how exactly would that situation look different than the one we are in? Good thing PayPal's always wrong though!
It's more like extrapolation from a known set of data points. PayPal has a certain history. You can look up what's gone down in the past, and based on that, the accusations fall right in line with the sorts of things PayPal has historically done. At this point it seems far more likely that PayPal did in fact do what it's accused of than that it didn't.
If PayPal is in fact telling the truth (and that's a big if), then the question becomes where did the hacker get the last 4 of the CC from? GoDaddy has confirmed the hacker had a large amount of info, including presumably the last 4 of the CC when he called them, so somewhere in this whole thing someone gave that data away.
(I can't reply to jessedhillon's follow-up comment yet & i don't want to wait so I'll just reply here....)
If you look as far as... oh say, the top of this thread on HN, you will hear accounts from people who have apparently done this very thing (asking PayPal for last 4 digits and gotten an answer). So it seems like their policy did not forbid it, anyone could do it, so why not believe the hacker's claim?
You can't have a policy of routinely giving out certain info then deny that you gave it out in a case where it caused a security breach. What is the defense there? "Well yeah ordinarily we DO give that out but we could tell this guy was a hacker so we didn't." Yeah, they wish. If they regularly give out last 4 digits, then the claim that they didn't in this case is absurd.
...the question becomes where did the hacker get the last 4 of the CC from?
That's always been the question. Until you know better, what you have is a situation where you're believing the word of an anonymous criminal, relayed to you second-hand, over PayPal. I'm just saying you have no evidence either way at this point, and are simply expressing your preconceptions, which are not helpful.
PayPal
Not only did they screw up; but they also can't man up, tell the truth and be transparent - as usual. Shit happens. Slamming us with a denial that shit happened is implying that you aren't going to do anything about it; admitting it is a clear statement that you are not proud of it and will work to make sure it never happens again.
It's come to the point where if someone said that PayPal are responsible for climate change; I would be inclined to believe them. No matter how much they denied it.