Help me to check whether my account on Virmach was hacked
I had an OVZ-Special-512 plan (5.1usd yearly) from Virmach. And I just leave my account there without logining. Then things happened as followed:
1 June 7 - I received an Email from Paypal saying 5.52 usd had been paid twice to Virmach. I submited a ticket to ask why.
2 June 13 - Virmach staff refunded one 5.52 usd to my paypal and told me that the other 5.52 usd are for upgrade request from "me" (I didn't submit any upgrade request)
3 I found my OVZ-Special-512 was upgraded to Elite+ plan (34usd yearly plan). I told them I haven't login my account for quite a long time so it is impossible for me to upgrade my package. And I must be crazy to upgrade a 5usd plan to 34 usd plan 
4 Virmach checked the login ip address for me. The ip is 212.32.225.250, which is not me. And they thought all these were owing to a security issue of my account. So they refused to downgrade fo me.
5 In my opinion, even my Virmach account was hacked and the upgrade was manually handled, how can paypal pay the invoice without my permission? So I checked my paypal history, and the payment was made by "Subscription".
Here is my question: Can the Paypal subscription be used to automatically pay any invoices created by users in WHMCS? Is that true that my account was hacked by others and they just upgraded package for me?
Something I want to say:
First, I know LET is not a support forum. And Virmach support team seems to be quite positive to solve my problem. So no complain to them. And I won't dispute via Paypal.
Second, I have cancelled all subscription in Paypal after all these.
Comments
I will just answer this part.
Yes.
This is why 2FA is more important now.
yes
PayPal subscription couldn’t create a new payment like you describe, but a PayPal Billing Agreement could. Which do you have setup with Virmach?
Cancel all automatic subscription that you have on any website and you will sleep better at nights.
Like I have with @Francisco / BuyVM, I believe VirMach does PayPal Billing Agreements which allows them to charge your PayPal account with whatever. What I believe has happened here is someone (maybe you, maybe not you) has upgraded your service and VirMach have automatically settled the invoice that would have been generated with your default payment method which would be the PayPal Billing Agreement.
May OP rest in space.
This why i pay my stuff manually. No subscriptions. No agreements.
The only thing I do not understand, why would anyone upgrade the VPS package?
You should check if the VPS is also being used by "someone else" so perhaps that "someone else" upgraded your VPS to enjoy free VPS for their gain.
Scan your computer. Chances are there that you might be keylogged, or you're keeping all the passwords same or weak password.
I decided to unsubscribe from their service because of the last issue. Does anyone know how to remove a card in virmach without causing any problem for the account? Because maybe I will think to come back to them one day.
I got charged twice too when I manually renewed my service. Virmach refunded me smoothly but I do think the "charged twice" problem reveals some bug in their whmcs paypal setup.