A dataset allegedly containing 15.8 million stolen PayPal credentials, including login emails and plaintext passwords, was posted to a well-known data leak forum this week. Hackers claim the data was stolen in May 2025, but PayPal denies this. In a statement to Tom’s Guide, PayPal said the exposed information is related to a “security incident” back in 2022, and not the result of a new breach. Either way, now is as good a time as any to reset your PayPal password just to be safe.
That’s because the cybercriminals behind the forum post claim to not only have emails and passwords but also associated URLs, information that could streamline automated credential-stuffing attacks and fuel identity theft schemes. As first reported by Cybernews, the hackers claim the dataset contains thousands of strong, unique passwords, though many are likely reused.
Paypal has denied these reports of a breach, attributing the data dump to old credential-stuffing attacks from infostealer malware rather than new vulnerabilities in its systems. The 2022 security incident earned PayPal a $2 million fine from the New York State Department of Financial Services for failing to comply with state cybersecurity regulations. However, that leaked dataset exposed only 35,000 accounts, which is a far cry from the nearly 16 million the hackers claim to have.
Details about the leak remain scarce. Earlier this month, the dataset was listed for just $2 on dark web markets, a suspiciously low price that has fueled doubts about its authenticity and source. Security researchers also note that if the breach were truly recent, much of the information would likely have already been exploited by now. Based on the structure of the data, experts believe it may have been harvested using infostealer malware, which quietly steals passwords, cookies, and other details from infected devices before transmitting them to attackers. Some variants can even erase themselves to avoid detection.
How to stay safe in wake of alleged PayPal data breach
Whether this is a new breach or not, this incident underscores the importance of strong security hygiene, even for those protected by multi-factor authentication. With both emails, passwords, and linked URLs exposed, the dataset is structured to maximize its potential for malicious use.
For PayPal users worried their data may have been compromised, resetting your password should be at the top of your to-do list. If you reuse that same password elsewhere, update those accounts accordingly. While you’re at it, get one of the best password managers to generate and store strong, unique passwords across all your apps and services — without having to do the mental gymnastics of keeping track of them all yourself.
If you suspect your personal information has been exposed, consider enrolling in one of the best identity theft protection services. These tools can alert you if your data appears online, help recover funds lost to fraud, and guide you through restoring your accounts and credit.
Lastly, it’s essential to keep the best antivirus software installed and up to date across all your devices. Combine this with built-in browser security features and the extra protections included in many antivirus suites, such as VPNs and firewalls, for added peace of mind.
Follow Tom’s Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
More from Tom’s Guide
