A hacker operating under the alias “Chucky_BF” claims to have obtained a massive database containing the login details of 15.8 million PayPal accounts and is allegedly offering the entire dataset for sale on an online forum for just $750. The file, said to be 1.1GB in size and stored in plain text format, reportedly includes account email addresses and passwords originating from Gmail, Yahoo!, Hotmail, and numerous regional domains. While the claim has generated significant concern among cybersecurity professionals, the authenticity of the data remains unverified.
Cybersecurity expert Troy Hunt has publicly suggested that the data was unlikely to have been stolen directly from PayPal’s servers, as PayPal does not store passwords in plaintext. Instead, Hunt believes the information was probably harvested from individual users through infostealer malware. Security site Hackread, which examined portions of the data, found a mix of fake and test accounts but confirmed that a substantial number of entries appeared legitimate. PayPal has yet to release an official statement addressing the alleged breach.
Users are strongly advised to act preemptively by reviewing their PayPal accounts for any unauthorized activity and changing their passwords immediately. Those who reuse the same password across multiple services should update those credentials as well, as this dataset could be leveraged in credential-stuffing attacks across various platforms.
