{"id":6224,"date":"2025-08-18T10:03:33","date_gmt":"2025-08-18T10:03:33","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/18\/threat-actor-allegedly-claiming-access-to-15-8-million-paypal-email-and-passwords-in-plaintext\/"},"modified":"2025-08-18T10:03:33","modified_gmt":"2025-08-18T10:03:33","slug":"threat-actor-allegedly-claiming-access-to-15-8-million-paypal-email-and-passwords-in-plaintext","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/18\/threat-actor-allegedly-claiming-access-to-15-8-million-paypal-email-and-passwords-in-plaintext\/","title":{"rendered":"Threat Actor Allegedly Claiming Access to 15.8 Million PayPal Email and Passwords in Plaintext"},"content":{"rendered":"

Threat Actor Allegedly Claiming Access to 15.8 Million PayPal Email and Passwords in Plaintext
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A threat actor operating under the alias \u201cChucky_BF\u201d has posted a concerning advertisement on a well-known cybercrime forum, claiming to possess and sell a \u201cGlobal PayPal Credential Dump 2025\u201d containing over 15.8 million email and plaintext password pairs.\u00a0<\/p>\n

The dataset, measuring approximately 1.16GB in plain text format, allegedly comprises sensitive credentials sourced from multi-domain PayPal accounts globally, highlighting the potential widespread impact of the breach.<\/p>\n

Key Takeaways<\/mark><\/strong>
1. Cybercriminal \"Chucky_BF\" is alleged to be selling 15.8 million PayPal email and plaintext passwords.
2.\u00a0Breach enables credential stuffing attacks, targeted phishing campaigns.
3. PayPal users should immediately change passwords, enable multi-factor authentication (MFA).<\/pre>\n
Plaintext Passwords Exposed\u00a0<\/strong><\/h2>\n
According to Hackmanac\u2019s post on X, the leaked credentials reportedly contain:<\/p>\n
Login Emails:<\/strong> Common domains such as @gmail.com, @yahoo.com, @hotmail.com as well as TLD-specific and country-centric addresses.<\/p>\n
Plaintext Passwords:<\/strong> Both unique and frequently reused strings, many exhibiting strong complexity, raising concerns about password reuse across platforms.<\/p>\n
Associated URLs:<\/strong> Direct PayPal endpoints, including URIs for \/signin, \/signup, \/connect, and Android mobile APIs.<\/p>\n
Variants:<\/strong> Credentials embedded in regular PayPal links, country-specific domain formats, and mobile integrations.<\/p>\n
\n
\"Threat
Threat actor Advertises PayPal Data Leak<\/figcaption><\/figure>\n<\/div>\n
The forum post further displays a sample \u201ccode\u201d snippet showing the raw format\u2014email:password:url\u2014enabling credential stuffing<\/a> attacks, targeted phishing, and large-scale fraud.\u00a0<\/p>\n
The threat actor notes a leak date of May 6, 2025, and describes the dump as suitable for use in phishing campaigns and security testing by malicious parties.<\/p>\n
TroyHunt added that \u201cGiven passwords definitely didn\u2019t come from PayPal in plain text, they\u2019ve either been obtained another way (info stealer, credential stuffing) or there\u2019s another explanation for this claim.\u201d<\/p>\n
Security Measures for PayPal Users<\/strong><\/p>\n
While cybersecurity experts have not independently verified the full authenticity<\/a> or scope of the dump, industry sources and threat intelligence feeds are actively monitoring related indicators.\u00a0<\/p>\n
\n
\n
\n
Given passwords definitely didn\u2019t come from PayPal in plain text, they\u2019ve either been obtained another way (info stealer, credential stuffing) or there\u2019s another explanation for this claim \"\ud83e\udd14\" https:\/\/t.co\/xmDyRaFbhL<\/a><\/p>\n
\u2014 Troy Hunt (@troyhunt) August 16, 2025<\/a>\n<\/p><\/blockquote>\n