PayPal breach exposed nearly 16M login credentials, hackers claim

A dataset allegedly containing 15.8 million PayPal credentials, including login emails and plaintext passwords, was posted on a popular data leak forum. Hackers claim that the data is recent. Meanwhile, PayPal denies data breach claims.

After the PayPal hack a credential leak post appeared on a well-known data leak forum, which is utilized to leak and sell stolen data. The ad’s author claims the dataset includes millions of PayPal credentials with emails and passwords.

The company's representative told Cybernews that no data breach took place and the attackers' post relates to an earlier incident.

“There has been no data breach – this is related to an incident in 2022 and not new,” the company's representative told Cybernews in an email.

PayPal experienced a large-scale credential stuffing attack in 2022 that exposed 35,000 accounts. In early 2025, the company agreed to pay $2M to US regulators to settle regulatory action, after officials determined PayPal had failed to comply with New York's cybersecurity regulation.

Attackers' data breach claims: What we know so far

Meanwhile, the attackers claim that they obtained the data in May of this year. The allegedly stolen details include sensitive information such as:

• Login emails
• Plaintext passwords
• Associated URLs
• Variants

“There has been no data breach – this is related to an incident in 2022 and not new,”

PayPal said.

According to the attackers, the dataset includes information from numerous PayPal accounts worldwide. If confirmed, the data dump would pose serious risks to the company’s users.

For one, the allegedly leaked information reveals login credentials, a crucial type of information necessary to access PayPal accounts. While PayPal users often have multi-factor authentication enabled, knowing access details would eliminate the first line of defense against attackers.

Moreover, the attackers claim the data dump includes associated URLs, pointing attackers directly to services linked with allegedly leaked information. Based on the data sample that the attackers provided, the dump is structured to enable cybercrooks to carry out automated credential stuffing attacks.

Attackers note that while the alleged leak includes “thousands of unique and strong-looking” password strings, many are reused. This could mean that the amount of data useful for attackers is much smaller than the post’s author would like to admit.

The Cybernews research team looked into the attackers’ claims, but could not verify their validity. The data sample provided is too small to draw any conclusions. Researchers added that if the data was taken in May, most of what was useful would probably have been exploited by now.

Interestingly, the supposedly massive data dump is sold for an amount that hardly matches the attackers’ claims. This could point to the actual quality of the alleged data dump.

PayPal has never suffered a major data breach, which could be an indication that attackers obtained the data in some other way. One possible explanation could be infostealer malware.

Cybernews recently wrote about billions of records in numerous databases, made up of information that was likely stolen using infostealers. For example, infostealer malware often structures the data it takes with a URL, followed by login details and a password. The post alleging the PayPal breach indicates that the data is structured exactly like that.

What are infostealers?

Infostealers are a type of malware that quietly sneaks onto your device and digs through your personal data. They don’t lock your screen or slow things down like some other threats. Instead, they stay hidden and pull out whatever they can find, things like saved passwords, autofill details, browser cookies, credit card numbers, and even access to crypto wallets.

These things usually end up on your device after clicking on something sketchy, downloading a fake program, or opening a shady email attachment. Once they’ve settled in, they move fast. Your data gets scooped up and sent off to whoever’s behind the attack, often without you ever knowing it happened. Some are clever enough to delete themselves afterward, so you might not even realize anything happened.

What makes it worse is how easy they are to get. Anyone can buy or rent an infostealer on dark web forums, no tech skills needed. Tools like RedLine, Raccoon, and Vidar are all over the place and have been used in some massive data breaches recently, including some tied to Snowflake in 2024 and 2025.

And they’re not just a problem for Windows users anymore. This isn’t just a Windows problem; some of these things are made to hit macOS and even Android devices, too, so no one’s really off the hook. Users potentially affected by the breach are advised to use a reliable password manager and change their PayPal passwords.

FAQ

Updated on August 18th [03:35 p.m. GMT] with a statement from PayPal.