Fraudsters used identity theft emails, known as phishing, to trick online traders into handing over their PayPal account information, internet auctioneer eBay said. The scammers then logged into the accounts and stole customer details, such as names, email addresses and dates of purchase.
PayPal insisted that no financial details were stolen.
"We noticed some unusual activity that lead us to believe some of our merchants may have given out their passwords to spoofers," said Amanda Pires, spokeswoman for PayPal. "They did it through a phishing scam. This third-party accessed non-financial information, such as name, email address and date of purchase. No one could take over an account with that information".
However, the company warned users that the information could be used in follow up phishing attacks that specifically target individuals.
"Customers may start to receive emails asking for their user information," Pires said. "We think [scammers] may turn this around to deceive users."
Last week, PayPal paid $150,000 to New York State because it misrepresented protection offered to customers who failed to receive merchandise they ordered.