A “15.8 Million” Account Leak? Hackers Claim New PayPal Data Dump, Company Denies Breach

On a well-known data leak forum, a post has surfaced advertising the sale of a database allegedly containing 15.8 million PayPal accounts, complete with email addresses and plaintext passwords. The seller claims the information is fresh, obtained in May of this year. PayPal, however, has refuted these assertions, insisting the dataset relates to an older 2022 incident and that no new breaches have occurred.

Even so, the listing has attracted attention due to the sheer scale of the purported leak. At present, its authenticity cannot be confirmed. Researchers at Cybernews note that the sample provided is far too small for independent verification. Moreover, the suspiciously low asking price for such a vast trove of logins and passwords raises doubts about the credibility and quality of the material.

According to a PayPal spokesperson, the hackers are referencing a 2022 credential stuffing attack that affected 35,000 users. That event led to a regulatory investigation in the United States, and in early 2025, PayPal agreed to pay $2 million to settle claims brought by New York regulators, who determined the company had failed to meet cybersecurity requirements.

The advertised database, according to its sellers, includes not only email addresses and passwords but also associated URLs and so-called “variants,” making the information more useful for automated attacks against services. If any portion of the dataset is genuinely recent, it could significantly facilitate new credential stuffing campaigns targeting users worldwide. At the same time, the poster admitted the dump contains numerous duplicates and already compromised passwords.

Experts suggest the data may not have originated from PayPal itself but from infected user devices. In recent years, the darknet has been flooded with infostealers—malware such as RedLine, Raccoon, and Vidar, which harvest saved passwords, browser cookies, autofill data, and even cryptocurrency wallets from compromised machines. These tools typically generate databases in the form of URL–login–password triplets, which matches the format of the alleged “dump.” Similar collections of stolen data have previously fueled large-scale leaks, including those tied to Snowflake.

PayPal continues to emphasize that no major breaches of its own infrastructure have ever been recorded, and the hackers’ claims remain unsubstantiated. Nonetheless, users are urged to remain vigilant: employ strong, unique passwords and enable multi-factor authentication, which remains the most effective safeguard against attackers, even when stolen credentials are in circulation.