Wednesday, June 3, 2026
Latest:
News

Over 16 million PayPal logins reportedly for sale, what users should do now

HackAcademy

A dataset claiming to contain 15.8 million PayPal login emails and plaintext passwords surfaced on a well known leak forum in mid August 2025. The seller says the data was stolen in May 2025 and includes linked URLs that could streamline automated credential stuffing attacks. PayPal denies that any new breach has occurred and says the dump likely relates to older incidents involving infostealer malware rather than a compromise of its systems.

In a statement to reporters, PayPal pointed to a previously disclosed security incident from 2022, which affected about 35,000 accounts and later led to a 2 million US dollar penalty from New York’s Department of Financial Services. That scale is far smaller than the nearly 16 million logins now being touted. Regulators said the 2022 case involved failures to meet state cybersecurity rules.

Security researchers are treating the latest claims with caution. The dataset was reportedly listed for as little as 2 US dollars earlier this month, a suspiciously low price that has fuelled doubts about freshness and provenance. Analysts who examined samples say the structure resembles logs harvested by infostealer malware from infected devices, rather than a direct intrusion into PayPal.

Why this matters

If even a fraction of the credentials are valid, the combination of emails, passwords and related URLs is tailor made for credential stuffing. Attackers can script logins across many sites, and reused passwords are the soft target. Multi factor authentication helps, but criminals often pair stolen passwords with session cookies and social engineering to work around single defences.

What PayPal users should do now

  • Change your PayPal password today, choose a unique, long passphrase you do not use anywhere else.

  • If you reused that password, update those other accounts as well, prioritise banking, email, cloud storage and shopping.

  • Turn on multi factor authentication for PayPal and your email, prefer an authenticator app or hardware key.

  • Use a reputable password manager to generate and store unique passwords for every service.

  • Monitor your accounts for unusual activity and set up alerts for logins, payments and withdrawals. Consider an identity monitoring service if you suspect exposure.

  • Keep devices clean, install updates, run trusted antivirus, and avoid unknown downloads and extensions that can plant infostealers.

What to watch next

Investigators are still validating how much of the dataset is usable. If the dump is mostly recycled logs from older infections, the risk will hinge on how many victims have changed passwords since. If a significant share of passwords still work, users should expect a rise in automated login attempts against PayPal and other popular services. Official statements from PayPal and independent researchers will clarify the scope when available.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *