A cybercriminal going by “Chucky_BF” is making waves in the underground forums. They claim that they’re selling what they call a “Global PayPal Credential Dump 2025” containing over 15.8 million email and password login combinations.
If real, this would be one of the largest credential exposures targeting PayPal users to date. The alleged dump, weighing in at 1.16 GB of raw text data, supposedly contains credentials from PayPal accounts spanning multiple countries and domains.
Even more interesting is that the passwords are stored in plain text, meaning anyone with access can read them without needing to crack any encryption.
What’s Actually in This Data?
The credentials reportedly include email addresses from the usual suspects: Gmail, Yahoo, and Hotmail accounts, along with various country-specific domains.
What’s puzzling, though, is that a lot of these passwords appear to be complex and unique, which raises questions about how they were obtained.
Strong passwords don’t typically suggest users picked weak credentials; instead, they hint at something more sophisticated happening behind the scenes.
The data also includes direct links to PayPal’s infrastructure, pointing to login pages, signup forms, and even mobile app interfaces. This level of detail suggests the information wasn’t just scraped from random sources but potentially gathered through targeted methods.
Security researcher Troy Hunt weighed in, stating that PayPal doesn’t store passwords in plain text, so these credentials likely came from somewhere else entirely.
The passwords might have been collected through information-stealing malware, credential stuffing attacks against other services, or compromised third-party applications that users connected to their PayPal accounts.
Chucky_BF isn’t being subtle about the intended use of this data. The forum post includes sample data formatted specifically for automated attacks. Each entry follows a simple email:password:url structure that feeds directly into credential stuffing tools.
These automated systems can test thousands of login attempts per minute across PayPal and other services, hoping to find accounts where people reused the same password.
The threat actor claims the data is fresh, allegedly leaked on May 6, 2025, and markets it as perfect for phishing campaigns and what they euphemistically call “security testing.”
In the criminal underground, this kind of data doesn’t just enable direct account takeovers; it provides the foundation for sophisticated social engineering attacks using real email addresses and password patterns.
Should You Be Concerned?
The real danger of this threat extends far beyond PayPal itself. Password reuse remains rampant among internet users, meaning credentials that work for one service often unlock accounts on entirely different platforms.
A PayPal password might also protect someone’s email, social media, or even other financial accounts.
Criminals can use valid email addresses to create convincing phishing campaigns, knowing these addresses are associated with PayPal accounts. They can also attempt to use the same credentials on banking sites, cryptocurrency exchanges, and other high-value targets.
Read: How to Identify Phishing and Scam Links on Social Media
Even if the passwords don’t work directly, they provide valuable intelligence about user behavior and password patterns that can inform more targeted attacks.
This is the fundamental problem with password-based security. Even when users create strong, complex passwords, those credentials become vulnerable the moment they’re stored or transmitted by third-party services with weaker security practices.
Multi-factor authentication (MFA) provides crucial protection against these scenarios. Even if criminals have valid credentials, they can’t complete the login process without access to the user’s phone or authentication app.
Unfortunately, MFA adoption remains inconsistent, especially among everyday users who may not fully understand the risks.
To All PayPal Users…
PayPal users should immediately change their passwords, especially if they’ve reused the same credentials elsewhere. The new password should be unique to PayPal and stored in a password manager rather than reused across multiple services.
Enabling multi-factor authentication provides essential protection against credential-based attacks. Even with valid passwords, attackers would need physical access to the user’s authentication device to complete unauthorized logins.
Users should also monitor their PayPal accounts closely for unexpected transactions or login attempts. PayPal provides detailed activity logs that can help identify suspicious behavior before it results in financial losses.
For now, cybersecurity experts are investigating the authenticity and scope of this dump. The sophistication of modern credential theft, from information-stealing malware to large-scale phishing operations, means that even security-conscious users can find their data exposed through no fault of their own.
The solution isn’t perfect password practices alone, but layered security that assumes credentials will eventually be compromised. That way, you will still have a last line of defense, even when your passwords fall into the wrong hands.
