So this is the gist...There is a small vulnerability because Gmail allows you to include dots in your email address, it essentially allows anyone to create multiple Paypal accounts with the same email address because Paypal recognises the inclusion of a dot as a separate email address entirely. It's seems like a flaw but not a massive security vulnerability.
Also Paypal also doesn't appear to verify email addresses on registration so anyone can create multiple accounts for the same person without any need to click a confirmation link in a verification email. Again, a flaw but not a massive security vulnerability as far as we can tell.
When you sign up for a gmail address, all dot variations of the email address belong to you. So if you have andzdroid@gmail.com, then emails to andz.droid@gmail.com will also go to you, and a.n.d.z.d.r.o.i.d@gmail.com will also go to you.
What happened to the OP is that somebody signed up using a variation of his email. Obviously, if I signed up at paypal with YOUR email address, you'd start receiving MY paypal emails.
There is no vulnerability. Only stupid people signing up with other peoples' emails.
Also Paypal also doesn't appear to verify email addresses on registration so anyone can create multiple accounts for the same person without any need to click a confirmation link in a verification email. Again, a flaw but not a massive security vulnerability as far as we can tell.