Jump to content
Login new information ×
Giveaway Contest ×
Login new information
Giveaway Contest
  • Security & Privacy News

    Login credentials for millions of PayPal accounts reportedly being sold online

    Karlston

    By Karlston,
    Published Date:

    • 534 views
    • 2 minutes
     Share
    • 534 views
    • 2 minutes

    PayPal is a very lucrative target for malicious actors since the platform is responsible for managing financial transactions for millions of users on a global scale. As such, it is extremely alarming when a malicious actor claims to have access to login credentials of millions of accounts and is selling them online.

     

    According to multiple outlets which have seen the massive PayPal data dump, such as Hackread and Cybernews, the "Global PayPal Credential Dump 2025" repository on the dark web contains email addresses and plaintext password pairs for 15.8 million accounts. The seller also claims to have access to user-specific endpoints which can be leveraged to automate logins and abuse other PayPal services. Altogether, the trove weighs in at about 1.1GB, and the seller is asking for $750 for anyone who wants access to it.

     

    PayPal downplayed this issue in a statement to Cybernews, claiming that the data dump is not a result of a new breach, rather, it is from a cybersecurity incident in 2022. In that year, PayPal suffered credential-stuffing attack, and in January 2025, the company paid a $2 million fine to U.S. regulators after it was deemed that its platform security measures weren't strong enough to govern who gets access to personal user data like phone numbers, emails, addresses, and social security numbers.

     

    That said, the seller has denied that this data comes from an older breach, and says that it is actually from an incident in May 2025. Interestingly, PayPal hasn't disclosed any cybersecurity lapse that occurred during this timeframe. This indicates that if the data is indeed valid, it may have been captured through an infostealer malware. That said, it is impossible to verify the authenticity of the data without getting full access to it. As always, make sure you have a strong password that was recently updated and that you leverage multi-factor authentication (MFA) mechanisms.

     

    Source

    Hope you enjoyed this news post. Feedback welcome.

    Posted Tuesday 19 August 2025 at 5:49 pm AEST (my time).

    News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of July): 3,458

    RIP Matrix

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...