A dark web hacking forum has claimed to have a dataset of millions of PayPal account credentials including login emails and plaintext passwords. As reported by Cybernews, the author of the post claims the stolen data was taken from May 2025 and includes 15.8 million login emails, passwords, associated URLs and variants from accounts worldwide, an automated credential stuffing attacks.

Credential stuffing is a cyberattack method in which attackers use lists of compromised user credentials to breach into a system. The attack uses bots for automation and scale and is based on the assumption that many users reuse usernames and passwords across multiple services.

Having emails and passwords available online for anyone to access puts PayPal users at an obvious risk – even though many users already have multi-factor authentication enabled. The exposure of associated URLs means that attackers can also be pointed at other services that are linked to the information that has been leaked in the data breach. Likewise, the leak has been set up in such a way as to allow them to easily leverage the exposed data for other malicious behavior.

PayPal has not yet made a public comment about the forum post claims as of yet, and no one has been able to verify the post’s claims either given the small size of the data sample provided.

PayPal has never suffered a major data breach before, which to many indicates that the hackers may have obtained this data through other means. Some have suggested an info-stealing malware was used to obtain it, given the way that the stolen data has been structured (URL, login, password).

Infostealers are often installed after users click on a malicious link or attachment that has malware embedded in it, then it works quietly in the background to funnel stolen information back to the attackers.

Some infostealers can hide themselves or delete themselves after they’ve taken passwords, browser data or payment information and they’re available to buy or rent on the dark web for any platform.

This is reason enough to have antivirus software installed on your devices and kept up to date. It’s also important to follow good security practices, have browser features enabled to protect you online and make full use of the extra included in many antivirus suites like a VPN or firewall.