A recent hack was discovered to have targeted Paypal, changing the API credentials enabling the thieves to intercept payments.
The error log below shows how the incorrect email address was detected, however, the payment was still processed.
./var/log/exception.*******co.uk merchant emails do not match.’ in /var/www/vhosts/g:exception ‘Exception’ with message ‘Requested email@example.com and configured *****@*******.co.uk/httpdocs/app/code/core/Mage/Paypal/Model/Ipn.php:258
./var/log/payment_paypal_express.log: [exception] => Requested firstname.lastname@example.org and configured *****@*******.co.uk merchant emails do not match.
As the API is starred out a visual check will not pick up on this hack and it is essential to be aware of any unusual access to your server.