Miop - 10:01 am on Jul 1, 2008 (gmt 0) PS we fulfilled the orders anyway - it was not the customer's fault.
Our store website was hacked and the Paypal gateway email address altered to someone else's. Paypal payments which were subsequently made by customers went to the thief's address and into their account. They set up a callback on their Paypal account to our website, which marked the orders as paid.
Paypal refuse to anything to help - even though they have a thief operating one of their accounts, and even though Paypal were complicit by allowing an unauthorised callback from an unrelated account to a commercial website, they refuse to refund the customer's money (to the customer). As far as I know they have not even logged a complaint or report on the matter. They don't want anything to do with it.
So a general warning - be sure your security on your website server is as good as it can be, and to buyers using Paypal, be aware that who you think you are paying is not who you may actually be paying. And don't expect any help from Paypal. I can only hope that when each individual customer complains, they will refund their money, but they won't say that they will.
PS we fulfilled the orders anyway - it was not the customer's fault.