Does the Paypal platform have just experienced a massive hack? Since August 16, 2025, a hacker operating under the pseudonym chucky_bf claims to have a colossal base of 15.8 million emails and passwords associated with accounts recorded on the platform. The cybercriminal would have put this information on a specialized market place for sale, without indicating a price, stirring the curiosity of buyers as much as security experts.
Tsunami or sword in water?
The announcement immediately aroused a general concern: if Paypal, whose servers are home to millions of daily transactions, had actually been infiltrated, the incident would be one of the most serious hacks in recent years. However, several elements put into perspective – or even question – the version of cybercriminals. According to several specialists, it would not be a hacking in the literal sense of the term, but rather a recycling of stolen passwords via malware.
Given Passwords Definitely Didn’t Come from Paypal in Plain Text, They’ve Eve been obtained another Way (Info Stealer, Credential Stuffing) or there’s Another Explanation for this Claim 🤔 https://t.co/xmdyrafbhl
– Troy Hunt (@Troyhunt) August 16, 2025
According to the cybersecurity researcher and founder of the Have I Been Pwned Troy Hunt platform, it is highly unlikely that Paypal was compromised directly. On the X platform, the expert indicates that Paypal does not store clear passwords. Technically, the identifiers are quantified so that a raw leak of his passwords cannot come from his servers.
Thus, it would be much more likely than data from infostealers type malware. These malicious software, infiltrated discreetly on computers and smartphones, are able to capture at source what the user enters, including his Paypal passwords. According to figures from the Kaspersky company, nearly 10 million devices are infected each year by this type of software. Once collected, the data circulates in bases sold on the black market and easily recycled by hackers.
Credential stuffing
Another advanced hypothesis: the cybercriminal would have a compilation of passwords from other hacks and simply associated, by overlap, with addresses also used on Paypal. This method, known as Credential Stuffing, is based on a disturbing reality: The majority of Internet users reuse the same passwords On several platforms. For a pirate, a leak at an e-commerce site can therefore turn into indirect access to Paypal or other banking services.
If Paypal has not confirmed – nor invalidates – the existence of this alleged flight, the danger remains tangible for millions of users. A cybercriminal with an email/valid password torque could theoretically access an account, within the limits of Paypal’s anti-fraud protections. From there, he can initiate money transfers, make payments, or test identifiers on other sensitive services.
The data sold could also be used to supply a new wave of automated attacks. Cybercriminals always apply the same logic: testing massively and seeing where it goes.
What precautions?
While waiting for an official clarification of Paypal, several precautions are to put: immediately change your Paypal password, even if no anomaly is noted, activate two -fact authentication (2FA), monitor its bank statements and transactions to identify any suspicious activity, and diversify its passwords from one service to another, so that a flaw on a site does not compromise all its digital identity.