A threat actor using the alias “Chucky_BF” is advertising what they claim is a trove of 15.8 million PayPal login credentials on a popular underground forum, but PayPal says there is no new breach, and outside experts suspect the data was harvested from infected devices rather than taken from the company’s systems. The listing, titled “Global PayPal Credential Dump 2025,” is described as a 1.1GB dataset containing emails, plaintext passwords, and PayPal-related URLs. The seller asserts the haul is recent—dated to May 2025—and calls it a “goldmine” for criminals because of its structure and references to Android-specific URIs and endpoints such as /signin, /connect, and /signup, which could streamline automated login attempts across mobile and desktop.
According to screenshots shared by the seller, samples show email addresses paired with passwords and corresponding PayPal login pages, with claims that the combos work on both mobile and desktop. The actor is offering full access for $750 and says most passwords appear unique, while acknowledging some reuse. The relatively low asking price for what would be a high-value dataset, combined with the presence of plaintext passwords, immediately raised doubts among researchers. Cybersecurity writers and analysts note that legitimate platform breaches do not yield plaintext passwords, which are typically stored using strong hashing; plaintext credentials most often originate from infostealer malware that exfiltrates saved logins from browsers and password managers on compromised devices, or from large credential-stuffing collections compiled from older leaks.
PayPal, in comments to reporters, denied any new compromise and said the chatter relates back to an incident in 2022 rather than a fresh breach. Independent experts, including Have I Been Pwned creator Troy Hunt, have suggested the most plausible explanations are infostealer logs, credential-stuffing compilations, or even fabricated records designed to lure buyers. Hackread’s Waqas likewise assessed that if any of the data is real, it likely did not come from PayPal’s core systems and more closely resembles the kind of logs that circulate widely in criminal markets.
The company’s security posture has drawn scrutiny before. In December 2022, attackers used credential stuffing to access about 35,000 customer accounts, exposing personal information and spurring a U.S. class-action lawsuit the following year. In January 2025, New York State’s Department of Financial Services fined PayPal $2 million over that episode and related cybersecurity deficiencies. Those precedents help explain why claims of a massive “new” dump get attention, even as investigators caution that large numbers advertised in underground forums often include duplicates, stale credentials, and unverifiable material.
For PayPal customers, the risk is less about a hypothetical compromise of PayPal’s backend and more about whether any working email-password pairs exist in the advertised cache—especially if those passwords are reused across multiple sites. Valid combinations could enable account takeovers, fraudulent transactions, targeted phishing, and broader credential-stuffing attempts. Users should respond as if some portion of the dataset could work in the wild: change their PayPal password immediately and avoid reuse anywhere else; enable two-factor authentication or, preferably, passkeys to add a strong second factor; review recent PayPal activity and bank or card statements linked to the account and set up alerts; and scan devices for malware to reduce the chance that infostealers are harvesting fresh credentials. Being skeptical of unsolicited emails or texts referencing PayPal and using only official apps or direct URLs to log in can further reduce exposure to phishing that often follows publicity around alleged leaks.
Bottom line: There is no evidence so far of a new breach of PayPal’s systems. The more likely scenario is a repackaged trove of infostealer logs or recycled credentials—still dangerous to individuals who reuse passwords but not indicative of a systemic compromise at PayPal. Treat the claims as a prompt to harden your account security now, rather than as confirmation of a catastrophic platform-level incident.