Online Marketplace Offers Stolen PayPal Passwords for Purchase - Promptly Modify Your Own Credentials
PayPal Denies New Data Breach Amidst Allegations of Stolen Credentials
In a recent turn of events, hackers have claimed to have stolen and put on sale a dataset of about 15.8 million PayPal login credentials, including emails and plaintext passwords, allegedly obtained in May 2025 [1][2][3]. However, PayPal has denied any new data breach in 2025.
Cybersecurity researchers and PayPal attribute this dataset not to a fresh breach but to fallout from a 2022 credential stuffing incident, where attackers used stolen credentials from unrelated breaches to access PayPal accounts. The 2022 incident affected around 35,000 accounts and led to a $2 million settlement with U.S. regulators over compliance issues [2].
The leaked dataset's authenticity and recency remain unverified. Experts have examined small samples but found them insufficient to confirm a new breach. Many credentials appear outdated, fabricated, or reused, lowering their practical threat. The relatively low asking price also suggests dubious data quality [2].
If the claims are accurate, this could be one of the larger PayPal-focused leaks of recent years, with millions of users across Gmail, Yahoo, Hotmail, and country-specific domains potentially implicated. However, PayPal denies that the leaked dataset includes millions of users across multiple email domains.
The advice for PayPal account security remains the same: ensure your password is strong, unique, enable 2FA using an authenticator app, and add a passkey to your account. Enabling 2FA using an authenticator app and adding a passkey to a PayPal account can help protect devices, money, and identity.
Users are advised to change their passwords regularly and avoid reusing them across accounts. If users have accounts protected only by passwords and SMS codes, they are advised to act now. Your passwords and email addresses are guaranteed to have leaked or breached or been stolen somewhere.
The process of securing a PayPal account takes under 2 minutes. It's a small step that can make a significant difference in protecting your personal and financial information.
[1] HackRead. (2025). PayPal data breach: Hackers claim to have stolen 15.8 million login credentials. [online] Available at: https://www.hackread.com/paypal-data-breach-hackers-claim-to-have-stolen-15-8-million-login-credentials/
[2] KrebsOnSecurity. (2025). PayPal Denies New Data Breach Amidst Allegations of Stolen Credentials. [online] Available at: https://krebsonsecurity.com/2025/06/paypal-denies-new-data-breach-amidst-allegations-of-stolen-credentials/
[3] ZDNet. (2025). PayPal denies new data breach despite hackers selling 15.8 million login credentials. [online] Available at: https://www.zdnet.com/article/paypal-denies-new-data-breach-despite-hackers-selling-15-8-million-login-credentials/
