The break-in occurred at BenchmarkPortal where that company had not properly secured the online form it had used for customers to opt-out of a survey carried out by PayPal. A spokeswomen for PayPal said the number of emails gathered from this breach was "extremely limited".
"Information accessed did not include personal or financial information (like first/last names, credit card numbers, bank account numbers, social security numbers, driver's license numbers, etc.)," said Sara Bettencourt, spokeswoman for PayPal. "This information is kept under the highest levels of encryption on PayPal's secure servers. PayPal technology is and remains completely separate from BenchmarkPortal technology."
The form used showed the customer's email address to anyone who could correctly guess the survey form's ID. At the time of writing BenchmarkPortal was unavailable for comment.
Bettencourt said PayPal was "working directly with users who may have been affected to inform them of the situation". She urged users to be extra viliglent with emails claiming to be from PayPal.