Users of a data leak forum claim that they’ve obtained over 100,000 stolen PayPal credentials, including emails and passwords. However, the Cybernews research team believes the data may have been sourced from infostealer logs and be outdated.
The attackers’ post was uploaded on Sunday, with the authors claiming they have a PayPal combolist with 104,000 records. According to the post, the data comes from last month and contains legitimate PayPal credentials.
We have reached out to PayPal and on January 13th, the company shared a statement saying that PayPal has no evidence of a data breach.
“We currently have no indication of a data breach of PayPal systems. As always, we strongly encourage customers to remain vigilant against suspicious emails or messages, update their passwords regularly, and enable two-factor authentication,” PayPal spokesperson said in a statement.
What the attackers claim?
Meanwhile, the Cybernews research team has investigated the claims. The team believes that PayPal is not the victim of a data breach and there’s a high probability that the credentials are no longer relevant.
Moreover, the alleged dataset is rather small for a combolist. It supposedly contains 104,000 credentials, while typically these types of lists go up to seven digits.
Moreover, the attackers claim that the data is from December 2025, could mean that it was downloaded from an infostealer or a bot last month, not that devices were infected with the same credential-stealing malware at the same time.
While the data could be real, breaching a PayPal account takes more time and effort as most accounts have multi-factor authentication (MFA) set up. MFA prevents attackers from unauthorized access to users accounts’ even in the case of a legitimate PayPal login credential leak.
However, if the credential information is legitimate, it sure does make it easier for determined users to attempt hacking into users’ accounts.
Recent PayPal data breach claims
Being one of the most popular financial platforms on the planet, PayPal often gets on hackers’ radar. For example, last August, threat actors alleged that they had obtained a dataset containing 15.8 million PayPal credentials, including login emails and plaintext passwords.
However, the company denied any data breach claims, saying the data came from “an incident in 2022,” when PayPal experienced a large-scale credential stuffing attack that exposed 35,000 accounts.
So far, PayPal has not suffered a major data breach. However, attackers could find workarounds such as infostealer malware. Infostealers are a type of malware that quietly sneaks onto devices and digs through personal data. They don’t lock your screen or slow things down like some other threats.
Instead, they stay hidden and pull out whatever they can find, things like saved passwords, autofill details, browser cookies, credit card numbers, and even access to crypto wallets.
Tools like RedLine, Raccoon, and Vidar are all over the place and have been used in some massive data breaches recently, including some tied to Snowflake in 2024 and 2025.
Updated on January 14th [07:50 a.m. GMT] with a statement from PayPal.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked