Last week I payed lunch for a colleague of mine and they paid me back via PayPal - in other words they tried to.
I have a mail account at an email provider which supports "plus addresses", and in order to trace back spam and to allow for easy labeling I use "john.doe+<service-name>@provider.com" instead of my "real" email address "john.doe@provider.com".
In case of PayPal I used "john.doe+paypal@provider.com" (name changed) and everything seemingly worked well for years.
That friend who wanted to send me EUR 11 knew my email address (without the plus sign), sent me the money using the PayPal app. After nothing happened for a couple of minutes, he sent it again to my PayPal email address (after verifying it with me this time), and I received the money.
Two days later I got an email from PayPal with the title "Confirm your email address", sent to "john.doe@provider.com" (changed), addressing me with the name "Roland L. Buffet" (name also changed, I don't know if Roland is culprit or victim).
While I didn't click on the confirmation link, I double checked the raw email content for any signs of scam/phishing but didn't find anything, except my name (even my changed name) is not "Roland L. Buffet".
So I asked my colleague if they knew that name, describing the situation and they confirmed the first transaction to also be successfully fulfilled (with a transaction code), showing "Roland L. Buffet" as receiver. So they effectively sent the amount twice, to me and to some stranger who was addressed with my email address.
I filed an incident with PayPal providing all the details, including the transaction number, only to see it closed minutes later without any steps taken or the money being refunded.
Luckily I'm not talking about big money here and admittedly we could have verified the email address in the first place. But shouldn't I suspicious now?
Has the PayPal email-address-to-account algorithm an evil bug which picks random accounts when you send money to an account PayPal doesn't know? Or is there even a way to exploit such a situation and redirect such transactions to an account of your choice? How would someone else know about a transaction with the addressee just missing the plus-component?
Did I miss another simple and obvious explanation?
And what should I do about this, after PayPal didn't seem to be interested in an obviously severe bug (or even a malicious exploit by someone who knows it)?
I feel a bit like in the middle of a flight and I just recognized by accident that one of the doors had been left open and silently closed it..
