Thought Leadership
A hacker offers 15.8 million alleged PayPal credentials for $750 – including email addresses and passwords in plain text.
On a relevant hacker forum, a user under the pseudonym Chucky_BF offers a huge dataset – allegedly 15.8 million sets of access data from PayPal customers. The price: $750.
According to the seller, the information is reportedly available in plain text – i.e. unencrypted and directly usable. It contains email addresses, passwords and the corresponding website links. If this data proves authentic, criminals could misuse them for phishing, credential stuffing (the automated testing of access data) or other forms of fraud.
However, it is still unclear how many of the accounts offered are actually current and valid.
According to the information in the forum, it is not just data from individual regions, but access data from PayPal customers worldwide. The publication is therefore causing great concern in security circles.
No direct attack on PayPal
Experts do not currently believe that PayPal itself has been compromised. Security researcher Troy Hunt, founder of the HaveIBeenPwned platform, emphasizes that the possibility of PayPal storing passwords in plain text can be ruled out. Instead, it is likely that the data was obtained from the users’ devices themselves – for example through the use of “Infostealer” malware, which reads login data in the background.
Caution for users
Although PayPal was probably not hacked directly, the threat to customers remains serious. Anyone who uses the service should urgently:
- use a strong, unique password,
- activate two-factor authentication,
- and regularly check for suspicious activity in your own account
