It's more like extrapolation from a known set of data points. PayPal has a certain history. You can look up what's gone down in the past, and based on that, the accusations fall right in line with the sorts of things PayPal has historically done. At this point it seems far more likely that PayPal did in fact do what it's accused of than that it didn't.
If PayPal is in fact telling the truth (and that's a big if), then the question becomes where did the hacker get the last 4 of the CC from? GoDaddy has confirmed the hacker had a large amount of info, including presumably the last 4 of the CC when he called them, so somewhere in this whole thing someone gave that data away.
(I can't reply to jessedhillon's follow-up comment yet & i don't want to wait so I'll just reply here....)
If you look as far as... oh say, the top of this thread on HN, you will hear accounts from people who have apparently done this very thing (asking PayPal for last 4 digits and gotten an answer). So it seems like their policy did not forbid it, anyone could do it, so why not believe the hacker's claim?
You can't have a policy of routinely giving out certain info then deny that you gave it out in a case where it caused a security breach. What is the defense there? "Well yeah ordinarily we DO give that out but we could tell this guy was a hacker so we didn't." Yeah, they wish. If they regularly give out last 4 digits, then the claim that they didn't in this case is absurd.
...the question becomes where did the hacker get the last 4 of the CC from?
That's always been the question. Until you know better, what you have is a situation where you're believing the word of an anonymous criminal, relayed to you second-hand, over PayPal. I'm just saying you have no evidence either way at this point, and are simply expressing your preconceptions, which are not helpful.
If PayPal is in fact telling the truth (and that's a big if), then the question becomes where did the hacker get the last 4 of the CC from? GoDaddy has confirmed the hacker had a large amount of info, including presumably the last 4 of the CC when he called them, so somewhere in this whole thing someone gave that data away.