At Nottingham Crown Court on February 18, Richard Kirk, 22, was jailed for three and a half years after pleading guilty to a prolonged fraud and theft committed over two years between 2008 and 2010.
Kirk had demonstrated considerable skill at guessing users' answers to elementary security questions to access email accounts.
By claiming to have forgotten the password, he would, by trial and error, answer a sequence of questions such as the favourite colour, the year of birth or the make of car driven by the account holder in order to gain access to their accounts.
The court heard people often used exactly the same password on their PayPal accounts as they used on their eBay accounts. This gave Kirk a way in to immediately spend their money.
Because Kirk would ask for merchandise purchased on eBay to be sent to his home address in Sherwood, those victims who quickly realised their accounts had been hacked into could not get their money back when they alerted PayPal.
Detective Constable Dave Prest explained: "PayPal has the power to reverse the payment when the original person's account was hacked into. But where it is sent to a different address, to an unverified address from the one on the website, then PayPal does not reimburse customers."
Martin Elwick, in mitigation, said: "What is a remarkable feature of the fraud is that he uses his home address for the delivery of every single item. It beggars belief PayPal never brought it to an end years ago – they can trace each transaction to his home address."
