Hackers claim 15.8M PayPal accounts leaked
Hackers are making bold claims on a popular underground forum, advertising what they say is a database containing 15.8 million stolen PayPal logins, complete with emails, plaintext passwords, and related URLs. The dataset is allegedly from May 2025 and, if real, could make automated attacks like credential stuffing much easier to carry out.
The sellers insist that many of the passwords look strong and unique, but also admit that a large chunk of them are reused credentials. That could lower the actual value of the leak, since reused passwords often circulate in multiple breaches. Adding to the uncertainty, security researchers who reviewed the small sample shared publicly said it wasn’t nearly enough to prove the dataset’s authenticity. If the breach really happened months ago, much of the usable data may already have been exploited anyway.
Suspicion also grows from the price tag. The attackers are asking for far less than what genuine, high-quality data usually fetches on dark web markets. That alone has experts questioning whether the dump is legitimate or simply cobbled together from older stolen data.
PayPal itself has denied any fresh breach. The company pointed instead to a 2022 incident, when credential stuffing attacks exposed about 35,000 accounts. That case led to regulatory fines earlier this year, far smaller in scale than the millions of accounts now being claimed.
Critics note that the supposed PayPal dataset looks strikingly similar to logs generated by infostealer malware, which steals saved credentials and cookies from infected devices. These logs often include URLs paired with usernames and passwords, just like the leaked sample. In other words, the data may not come from PayPal’s systems at all, but from compromised users’ computers.
Whether this latest claim is genuine or not, it highlights a bigger problem: once personal information is stolen, it doesn’t vanish. Stolen logins can resurface years later, fueling identity theft, fraud, and scams. For anyone who has ever reused a PayPal password on other platforms, the risk is still very real.
