Hackers claim 15.8 million PayPal credentials leaked, company denies breach

A dataset allegedly containing 15.8 million PayPal credentials has surfaced on a popular data leak forum, with hackers claiming the information is both recent and authentic. PayPal, however, firmly denies any new breach, attributing the claims to an earlier incident from 2022.

The listing appeared on a well-known underground forum often used to share or sell stolen data. According to the post’s author, the trove includes login emails, plaintext passwords, and associated URLs tied to PayPal accounts worldwide. If legitimate, such details could enable cybercriminals to bypass the first layer of account protection, although many PayPal users rely on multi-factor authentication.

A PayPal spokesperson told Cybernews that no breach occurred this year. “There has been no data breach – this is related to an incident in 2022 and not new,” the company said in an emailed statement.

In 2022, PayPal reported a large-scale credential stuffing attack that compromised about 35,000 accounts. The case resurfaced in early 2025 when the company agreed to pay $2 million to U.S. regulators for failing to comply with New York’s cybersecurity requirements.

Despite PayPal’s denial, the attackers insist they obtained the dataset in May 2025. They claim it contains not only login details but also “thousands of unique and strong-looking” passwords, though they acknowledge that many appear to be reused. The attackers are offering the dataset for sale, but researchers note that the price is unusually low for a leak of such scale, raising doubts about its quality and authenticity.

Cybersecurity researchers who reviewed a sample of the data said it was too small to verify the attackers’ claims. They added that if the information was indeed stolen in May, much of its value would already have been exploited. Some experts suggest the dataset’s structure, which includes URLs alongside login credentials, resembles records typically harvested by infostealer malware rather than a direct breach of PayPal’s systems.