Concerns over a potential PayPal data hack are rising after a post appeared on August 16th on a dark web marketplace, offering 15.8 million PayPal users’ login credentials for sale. The threat actor, named Chucky-BF posted what they described as “Global PayPal Credential Dump 2025”. The data would include the login email addresses and plain text passwords of almost 16 million PayPal users, the hacker said.

The dark web post advertising almost 16 million PayPal credentials for sale, leading people to believe that PayPal was hacked in 2025. Image: Cybernews.

PayPal has denied the data breach, and its representative told Cybernews that the data could be from a past incident that occurred in 2022. While it remains unconfirmed if PayPal was hacked, the claims also cannot be independently verified due to the sample size of the data being too small. Experts have also said that they do not believe that PayPal itself has suffered a data breach, but suggest the information could have been obtained elsewhere, for example, through infostealer malware. If infostealer malware was used, the credentials would have been extracted directly from the users’ devices, and this would explain why the dataset structure matches known infostealer logs. Additionally, the data is being sold for a low price, suggesting the credentials are not from a new leak.

However, it does not really matter whether this data hack has recently happened or took place in the past. Because of this hack millions of PayPal users’ online accounts are at risk.

Turn ON Privacy in one click.

Get

PayPal hack: What is known

The attacker under the name Chucky-BF claims the data was collected in May 2025 and contains the sensitive data of PayPal accounts from around the world. It’s concerning that millions of users’ credentials are said to be for sale, but what makes it more threatening is the type of data said to be for sale, too.

This includes PayPal users:

• Email addresses for login

• Passwords in plain text

• Associated URLs link to PayPal services

• Variants

If the data dump for sale is confirmed true, PayPal accounts will be at risk of unauthorized access and malicious activity. Not only will this affect a large number of PayPal accounts, but another problem is that the breach could lead to a further compromise of a user’s digital identity, for example leading to identity theft, financial fraud, and the resale of users’ accounts. To give an example, if a user has the same login credentials for multiple accounts, a credential stuffing attack with the acquired PayPal data could allow malicious actors to gain access to more of their online accounts.

The biggest threat to users is if they used the same password for their email account and for PayPal. While PayPal nowadays requires 2-factor authentication (and thus should be rather safe despite this hack), most email providers do not. By being able to buy a set of data consisting of email addresses plus PayPal passwords, malicious attackers can now test whether the PayPal passwords also work on the email accounts mentioned. This way, they can take over not just the email account of the victim, but also other accounts that are associated with their email address via the popular (but dangerous!) password-reset function via email.

This is why we at Tuta Mail highly recommend using two-factor authentication, best with U2F as it is the safest method.

Turn ON Privacy in one click.

Get

The bottom line

For now, it remains unclear if this could be the worst PayPal hack in history. But whether the PayPal hack is real or not, you should reset your PayPal password with a strong passcode that’s a minimum of 16 characters. This is a simple and easy way to protect your online accounts from potential threats and data leaks. And for even better login security, we’d recommend using U2F as two-factor authentication to protect your PayPal login. This way, you won’t need to worry about any potential PayPal hack that’s making the news. If you believe that your PayPal account or any online account has been compromised, you can check whether they were hacked or not with these tips.

Extra steps to ensure the security of your online accounts:

• Use a password manager to easily create and store strong passwords.

• Use email aliases to protect your identity and not hand out your primary email address.

• Be cautious when clicking on links, especially in emails that could be phishing.

• When it comes to communicating online via emails or instant messages, make sure your communications are secured with end-to-end encryption.

FAQs

Was PayPal hacked in 2025?

PayPal has never reported that it suffered a hack, and there is no evidence to show that PayPal’s internal infrastructure has been hacked. In 2025, Hackers claim to have successfully got hold of the login credentials of ~16 million PayPal users from around the world. PayPal has denied that the leaked data is from a recent hack. Security experts believe these login credentials are likely taken directly from PayPal users through infostealer malware.

Has PayPal been hacked in 2024?

Although individual PayPal users’ accounts may have been hacked through different kinds of hacking methods like phishing attacks or using weak passwords, as a company, PayPal was not hacked in 2024, according to official statements.

Has PayPal had any data breaches?

PayPal has never suffered a direct data breach that was directed at the company’s own internal systems, but it has had security incidents. This means that the information acquired has never been extracted directly from the company but through other forms.

In 2022, PayPal suffered a data breach in which malicious attackers accessed around 35,000 user accounts through credential stuffing attacks. This hack was possible because of a security vulnerability in PayPal. Consequently, the 2022 is the worst PayPal hack in history. Beginning 2025, the Silicon Valley tech giant has been sentenced to pay a $2 million civil fine due to cybersecurity failures which made this hack possible. This breach exposed 35k of users’ personal data, including names, addresses, tax identification, and social security numbers.