PayPal denies breach amid claims that 16 million accounts surfaced on dark web

Setting the stage

After reports that nearly 16 million login credentials, emails, and plaintext passwords were listed for sale on the dark web, PayPal is under intense scrutiny. Going by the alias Chucky_BF, the hacker reportedly priced the massive trove at only $750.

While the claim has sparked widespread concern, PayPal insists no new breach has occurred, pointing instead to data tied to an older security incident from 2022.

Leak claims and volume

A dark web vendor using the name Chucky_BF claims to be selling a vast database containing 15.8 million PayPal accounts. Unlike typical leaks, this one includes plaintext passwords, significantly raising the stakes if genuine.

The entire package was posted for the astonishingly low price of $750. The scale and sensitivity of this alleged leak have alarmed cybersecurity experts, who note that even a fraction of valid accounts could be highly damaging.

Data composition

The dataset allegedly includes complete email addresses from widely used providers like Gmail, Yahoo, and Hotmail, paired with plaintext passwords. It also lists PayPal-specific login URLs, including regional and mobile access versions.

That level of detail makes it easier for attackers to design targeted scams that closely mimic legitimate PayPal login portals. If accurate, this structure would allow cybercriminals to trick victims into handing over financial access directly.

Low price raises doubts

While the size of the alleged leak is eye-catching, the hacker’s bargain-basement pricing has fueled skepticism. Selling millions of active PayPal accounts for only a few hundred dollars doesn’t align with typical dark web market values, where verified financial credentials usually fetch a premium.

This unusually low cost suggests the data could be outdated, heavily duplicated, or otherwise unreliable, leaving experts questioning whether the dataset is truly as dangerous as advertised.

PayPal’s official position

PayPal has strongly denied that its systems were recently breached. Instead, the company asserts the leaked information is linked to an older cybersecurity event, not a fresh compromise.

PayPal emphasizes that its internal protections remain intact and insists there is no evidence of a new intrusion. The company also encourages users to follow best online security practices, reinforcing that its platform has not been hacked again.

2022 credential stuffing attack

Back in 2022, PayPal suffered a credential stuffing attack, where hackers used lists of stolen usernames and passwords from unrelated breaches to access around 35,000 accounts. While relatively small in scale, the fallout was significant.

PayPal later faced regulatory action in New York, culminating in a $2 million settlement in 2025 for failing to meet required cybersecurity standards. That event remains central to understanding today’s data leak claims.

Possible malware origin

Security professionals believe the supposed PayPal credentials may have originated not from PayPal’s servers, but from malware infections on individual devices. Specifically, infostealer malware can silently gather usernames, passwords, and cookies stored on a victim’s computer.

This scenario would explain why the dump contains plaintext passwords, something companies like PayPal never store in that form. It also aligns with patterns seen in previous large-scale dark web data dumps.

How infostealers work

Infostealer malware typically spreads through phishing emails, malicious attachments, or infected downloads. Once installed, it hides on a device, extracting sensitive data such as saved passwords, browsing history, and session cookies.

The stolen information is then uploaded to criminal servers and packaged for resale. Unlike corporate breaches, these attacks exploit individuals directly, making detection difficult. Victims often don’t realize their devices were infected until long after the theft.

Reuse of passwords

Analysis of the sample data shows that many of the exposed passwords are reused across different services. Repeated use drastically reduces their effectiveness even when they appear strong at first glance.

Hackers exploit this weakness by trying the same credentials across multiple accounts. This common user habit highlights one of the biggest dangers in online security: password reuse remains one of the most easily exploited vulnerabilities in the digital ecosystem.

Phishing risk elevated

The inclusion of PayPal-related URLs in the dataset raises the stakes further. Cybercriminals can use this detail to craft convincing phishing attacks, sending users links that closely resemble legitimate PayPal login pages.

By tailoring these scams to specific regions or mobile devices, attackers increase the likelihood of success. Attackers gain direct access once victims unknowingly enter their credentials into these fake sites, compounding the damage beyond the initial credential dump.

Enable two-factor authentication

Two-factor authentication, or 2FA, provides an essential safeguard against credential theft. By requiring an additional verification step, such as a text code or app notification, users ensure that a stolen password alone isn’t enough to gain entry.

Enabling this feature dramatically reduces the likelihood of a successful account takeover, even if hackers can obtain working login credentials. It is one of the simplest yet most effective ways to strengthen account protection.

Monitor account activity

Users should not wait for a breach notification to take action. Regularly reviewing PayPal activity, linked credit cards, and bank statements helps catch unauthorized charges early. Enabling transaction alerts ensures users are notified immediately if unusual activity occurs.

Swift detection can mean the difference between reversing a fraudulent charge quickly and suffering long-term financial damage. Monitoring accounts should become a routine habit for anyone using digital financial platforms.

Use dark-web monitoring services

Dark-web monitoring services can alert individuals when their email addresses, usernames, or passwords appear in underground forums. These tools continuously scan known marketplaces and dumps, providing early warnings to potential victims.

Users can take swift action by knowing when their information has surfaced, such as updating credentials and securing accounts. While no service can guarantee complete coverage, monitoring offers an added layer of security in today’s evolving cyber threat landscape.

Your phone doesn’t have to slow down or die early. Keep it running like new with these simple tips to extend your phone’s lifespan, as small habits can make a big difference.

Final word on the claims

While the claim of nearly 16 million PayPal accounts for sale on the dark web is alarming, current evidence points to the data being harvested from malware infections rather than a direct PayPal breach.

The authenticity of the dataset remains uncertain, but the potential risk to users cannot be ignored. Stronger passwords, two-factor authentication, and regular account monitoring are critical. Ultimately, staying vigilant is the best defense against today’s evolving cybercrime.

Before you grab that too-good-to-be-true deal, know what traps to avoid. Stay one step ahead with this guide: Sneaky scams lurking in secondhand home shopping your wallet will thank you.

If you found this interesting, give it a like and share your thoughts in the comments.

Read More From This Brand:

• How to Set Up a Secure VPN on Your Laptop
• How To Upgrade Your WiFi: A Comprehensive Guide
• Secure Your Smart Devices from Unauthorized Access

Don’t forget to follow us for more exclusive content on MSN.

If you liked this story, you’ll love our free emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.