Apparently, someone has just dropped a dataset on a leak forum, claiming it contains around 15.8 million PayPal logins, including emails and plaintext passwords. The hackers claim the data was stolen in May, but PayPal denies it. Their official line is that it’s not a new breach, just old data tied to a 2022 incident.

Now, here’s the messy part: the people who posted the leak aren’t just claiming to have emails and passwords; they’re also claiming to have related URLs. That kind of information makes automated credential-stuffing attacks significantly easier, and we all know where that usually leads: identity theft, drained accounts, and the like. They’re even bragging that thousands of the leaked passwords are strong and unique, though most are probably recycled across multiple accounts.

PayPal, of course, is pushing back. They’re blaming it on infostealer malware and old credential-stuffing dumps, not a fresh hole in their system. For context, in 2022, they were hit with a $2 million fine in New York due to a security compliance failure. That incident “only” exposed 35,000 accounts, though. What’s circulating now is supposedly close to 16 million, which is a significant increase.

Bottom line, regardless of who’s telling the truth, it’s probably a smart move to reset your PayPal password if you haven’t in a while. And if you’re the type who reuses logins, this might be the wake-up call to stop doing that once and for all.

I don’t buy PayPal’s explanation at face value. They consistently downplay until it blows up. Even if it is old data, 15+ million logins floating around out there is still dangerous. Many people never change their passwords, so the odds are high that a significant number of those accounts remain active.

I’m leaning toward this being old info, too. Hackers often repurpose old leaks to make them appear fresh. That said, it doesn’t really matter if PayPal is right or wrong; if your email + PayPal login is out there, you’re at risk. Everyone should enable 2FA on PayPal. At least that way, even if someone has your password, they can’t get in without the code.

Man, this is scary. I'm not even sure if my information's in that leak, but I've gone ahead and changed my password anyway. It's crazy how often this stuff happens now. It feels like no matter what company it is, sooner or later, our data ends up being out there.

Yeah, I’m with you all on this. Even if PayPal’s telling the truth and it’s old data, 16 million accounts floating around is no small thing. I reset mine last night and turned on 2FA just in case. Honestly, the part that bothers me is how hard it is to know what’s actually going on. PayPal says one thing, hackers say another, and we’re stuck guessing. At the end of the day, the safest bet is to lock down our own accounts.

Here’s the thing. This smells like an aggregated infostealer dump. Those are usually harvested from infected machines where malware has grabbed browser-saved passwords. That would explain why some of the credentials look “new” and why URLs are included (browsers store those with the login). Hackers then stitch together multiple sources and slap a significant number on it to make it sound fresh.

But that doesn’t make it harmless. Even if just 5% of those logins are still valid, that’s hundreds of thousands of working PayPal accounts up for grabs. Credential-stuffing bots don’t care if 95% fail. They’ll hammer through the list until something sticks. Best defense: strong, unique password + 2FA. And if you’ve ever reused your PayPal password elsewhere, change those too.

Seen this song and dance too many times. Hackers love to exaggerate numbers to get attention or sell “fresh” data that’s really just recycled. Remember when every other week it was “50 million Facebook logins leaked,” and most of it turned out to be junk? Not saying people shouldn’t be careful. Changing passwords and enabling two-factor authentication (2FA) is basic hygiene. However, I wouldn’t panic every time a massive leak headline appears. Half the time, it’s smoke and mirrors.