A cybercrime forum post by a user known as “Chucky_BF” claims to be selling a dataset of approximately 15.8 million PayPal account credentials—including email addresses, plaintext passwords, and associated URLs—allegedly stolen in May 2025. PayPal swiftly denied any new breach, attributing the data to a “security incident” in 2022 that exposed only around 35,000 accounts. Security researchers remain skeptical of the dump’s authenticity: they point to the unusually low sale price, small sample size, and similarities to infostealer malware logs as signs the data may have been harvested from compromised devices rather than PayPal’s systems. In light of the uncertainty, users are advised to reset PayPal passwords (especially if reused), enable multi-factor authentication, and employ tools like password managers, antivirus, VPNs, and identity protection services.
Sources: TechRadar, Tom’s Guide, PC World
Key Takeaways
– The low asking price for the dataset raises suspicion about its authenticity and quality.
– Infostealer malware—which harvests credentials from victims’ devices—is a likely source rather than a direct PayPal breach.
– PayPal links the incident back to its 2022 “security incident,” and regulators previously fined them over that event.
In-Depth
There’s a fresh scare going around: someone using the handle “Chucky_BF” is offering what they say is a treasure trove of PayPal credentials—over 15.8 million email-password pairs, each linked to specific PayPal login pages. That sounds massive, but take a breath.
PayPal itself dismisses the claim, saying no new breach happened and pointing back to a long-resolved 2022 incident that affected a fraction of that many accounts. And here’s why the skepticism is well-founded: the data’s being sold for a suspiciously low price, researchers could verify only a tiny slice, and the format seems lifted straight from infostealer malware—malicious software that quietly steals logins from infected devices.
Put simply, it’s more plausible the data was collected from individuals’ compromised systems—then mashed together and marketed under PayPal’s name—rather than ripped from PayPal itself. But misleading or not, the effect on users is real: reused passwords can give crooks tools for credential stuffing and phishing. The bottom line? Act now. Reset your PayPal password, make it unique; fire up multi-factor authentication; and consider a password manager, antivirus software, or identity protection service to stay one step ahead. The lesson sticks: even whispers of leaks demand a swift response.