On August 16th we'll celebrate 2.5 years of Unshelved. What should we do to celebrate? Send your suggestions.

On Friday, at just a couple weeks over a year, Rosie took her first steps. She was sitting with Theo. When he walked away she followed him, at least for about 3 steps. Since then she has taken quite a few forays.

Since we know that the lower and mid parts of the brain are developed by creeping and crawling, and the more the better, we've been eschewing walking for as long as possible, the better to get in that vital hands-and-knees mileage. None of the holding-her-up-while-she-toddles we did with Theo that got him walking at ten months. But there's no stopping mother nature, and Rosie finally reared up on her own. Which just goes to show that kids will walk when they're ready. It was very exciting to watch and each additional step has been an adventure. I'm not sure but I think the next big developmental phase from here is grad school.

I got a payment notice from PayPal Friday, one of dozens I get every day thanks to our little business. But this one was a little different, something I'm glad I noticed right away. This one was a payment *from* our account, something we do very seldom, and always just by me. I rushed over to PayPal to check it out and lo and behold someone had indeed made an unauthorized payment. It was for everything we had in our account at the time, which I'm glad to say wasn't very much as I had recently withdrawn funds to our bank account. But it wasn't nothing either. I reported it and PayPal marked it "pending reversal" which I think means we might get it back.

But the real question is, how did that person get access to our account? They'd need the correct email address and password, something I am careful not to hand around. Some possibilities:

• Someone hacked PayPal. I find this hard to believe. I'm sure no one is more invested in security than they. Their business depends on it.
• I use the same password on a handful of other sites. Had someone broken security on those sites they could try userid/password combinations on PayPal (I would). But I don't think I ever used this password with the email address we use with PayPal
• Up until this happened Gene and I maintained a "secret page" on our site with some business information including PayPal login info. The page was password protected, and a check of the logs leads me to believe it was not hacked (no brute-force password attempts). But the page was sent in the clear (HTTP not HTTPS) so some enterprising soul with a tap on the Internet somewhere looking for the words "PayPal" and "password" in passing packets might have come across it. But even this seems unlikely because I hadn't accessed that site in at least a week.

So I'm flumoxed. I look forward to hearing what PayPal has to say. Because the perpetrator not only paid themselves some money but then "filed" the transaction (meaning it didn't show on the Overview page) I am lead to believe this is a career PayPal thief.

By the way, if you have bought anything from us you are in no danger, or at least no more danger than any other PayPal customer. The only thing someone hacking into our account could do with yours is to refund you some money.

I'll keep you apprised as this develops.

Followup: PayPal did indeed refund the charge. Still no ideas on how this might have happened.