A post on a well-known hacking forum has claimed to have a dataset of millions of PayPal account credentials including login emails and plaintext passwords. As reported by Cybernews, the author of the post claims the stolen data was taken from May 2025 and includes 15.8 million login emails, passwords, associated URLs and variants from accounts worldwide.
Having emails and passwords available online for anyone to access puts PayPal users at an obvious risk – even though many users already have multi-factor authentication enabled. The exposure of associated URLs means that attackers can also be pointed at other services that are linked to the information that has been leaked in the data breach. Likewise, the leak has been set up in such a way as to allow them to easily leverage the exposed data for other malicious behavior, like automated credential stuffing attacks.
There are few additional details about the leak at this time. The hackers responsible say that the leak includes thousands of strong and unique password strings but many may be reused which would make the amount of useful data smaller. In fact, the amount that this stolen data is being sold for to other hackers on the dark web would indicate that this is the case. Additionally, researchers have pointed out that if the stolen data was quite recent, much of it would have already been exploited by now.
PayPal has not yet made a public comment about the forum post claims as of yet, and no one has been able to verify the post’s claims either given the small size of the data sample provided. PayPal has never suffered a major data breach before, which to many indicates that the hackers may have obtained this data through other means. Some have suggested an info-stealing malware was used to obtain it, given the way that the stolen data has been structured (URL, login, password).
Infostealers are often installed after users click on a malicious link or attachment that has malware embedded in it, then it works quietly in the background to funnel stolen information back to the attackers. Some infostealers can hide themselves or delete themselves after they’ve taken passwords, browser data or payment information and they’re available to buy or rent on the dark web for any platform. This is reason enough to have the best antivirus software installed on your devices and kept up to date. It’s also important to follow good security practices, have browser features enabled to protect you online and make full use of the extra included in many antivirus suites like a VPN or firewall.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom's Guide
- I’m a security editor, and this is the antivirus I would buy with my own money
- FBI issues warning to all smartphone users — a dangerous new scam could be at your door
- AT&T could pay $7,500 to customers in data breach settlement — how to get yours
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
