Is it possible you had the "Edit your details" page open and your web-browser "helpfully" auto-filled the form with her details and you submitted the form without noticing?
It gets worse: there's a lot of web-apps out there (both SSRs and SPAs) with <form> elements for personal details which are in the DOM, but "hidden" by doing tricks like `position: absolute; left: -99999px` inside a div with `overflow: hidden` (instead of doing something like `display: none;`) - or have the form hidden by using a z-index behind some curtain/cover element - and I've seen browsers auto-fill those fields and they get POSTed and cause a data overwrite on the server without the user being aware.
It's a fun way to steal PII from people: have a random public webpage that contains a registration form with all kinds of personal details, but has HTML+CSS such that it's visually obscured from the user, but the browser thinks it's a fully visible form, and simply yet the browser autofill it and submit it using JS (getting around the "user must interact with the page" filter by binding it to a big pink button that says "click here to see dancing bunnies!").
Uh, I don't think so. We don't live together and we don't share computers.
Its strange that Paypal would even consider our accounts associated in any way. I wonder if she put a support ticket in to change her name and they changed mine too because we shared the same surname? Does paypal know we're related somehow, or did they just change another random account with our surname when they changed her name, and happened to get her brother? The more I think about it the more questions I have.
I once called PayPal to report an "your account is suspended" phishing email and they angrily told me to follow the directions in the email.