[fat0wl]

(I can't reply to jessedhillon's follow-up comment yet & i don't want to wait so I'll just reply here....)

If you look as far as... oh say, the top of this thread on HN, you will hear accounts from people who have apparently done this very thing (asking PayPal for last 4 digits and gotten an answer). So it seems like their policy did not forbid it, anyone could do it, so why not believe the hacker's claim?

You can't have a policy of routinely giving out certain info then deny that you gave it out in a case where it caused a security breach. What is the defense there? "Well yeah ordinarily we DO give that out but we could tell this guy was a hacker so we didn't." Yeah, they wish. If they regularly give out last 4 digits, then the claim that they didn't in this case is absurd.