Well, I am pretty new here, but not new to the ideas and genius BHW posts.. Great site. Let me start, as I hope some of you have some suggestions: 9/11/09 I get a call from a customer in regards to a charge appearing on her credit card statement from my website. The charge was under $1 (something like $0.23). I immediately logged into Paypal and noticed thousands (yes that many) of these "authorizations" for under a $1. I immediately called paypal and told them about this. they said i have nothing to worry about since an authorization must be accepted by me, and i dont accept them, then they will just go back to the credit card holder after 72 hours (in other words they will expire). Until now, I am fine with everything, so i ask the Paypal 'clerk' how did they do this? He did not have an answer and told me to change my API Certificates and add them back to my shopping cart. so I did this, sure enough the charges stopped. Guess what? Next morning again! New charges, thousands, one after another, like 40+ in a minute, it must have been automated, well for sure it was... So i called paypal again, they told me to change the API Cert. again and this time change my Paypal Password, so I did. Guess what? This time it ended. So i went about my business.... Sure enough, the month ends, and my Website acceptance Virtual Terminal (or whatever they call it) was charge the normal $30/monthly fee. Today, I get the new bill, and they took out of my account $3,879!!!! I know i should not have that much money in there, but seriously, I purchase goods, and need money there. I called Paypal and said WTF ???? They all of the sudden became GENIUSES and told me that my API code must have been hacked and used to authorize these stolen credit cards, and i was charged .30 per authorization. That is SICK! That is a total of 12,900+ authorizations!!! I became MAD! Kept myself calm, and asked the almost $4000 of these fees be returned to my account, they said, can't be done, the credit card companies charge us, and we charge you, that is the way it works. What can I tell you, after pleading with the guy, that no one used my API, he said you must not have SSL on your site. (joker), i told him i do, so he checked, and found out I did so he said, well somehow they used your API code to run these transactions. I am so pissssed off its amazing! He told me he will send it to the dispute department but not to expect anything, because i am responsible for such fees. People out there, any ideas? I googled all over but could not find anyone posting something similar like what happened to me. Your time and input is greatly appreciated. I really dont need "sorry, that sux" comments, it wont make me feel any better *grin* Hope for some good feedback.... I wana cry!!!!!!!!!