A threat actor operating under the alias “Chucky_BF” has posted a concerning advertisement on a well-known cybercrime forum, claiming to possess and sell a “Global PayPal Credential Dump 2025” containing over 15.8 million email and plaintext password pairs.
The dataset, measuring approximately 1.16GB in plain text format, allegedly comprises sensitive credentials sourced from multi-domain PayPal accounts globally, highlighting the potential widespread impact of the breach.
Key Takeaways
1. Cybercriminal "Chucky_BF" is alleged to be selling 15.8 million PayPal email and plaintext passwords.
2. Breach enables credential stuffing attacks, targeted phishing campaigns.
3. PayPal users should immediately change passwords, enable multi-factor authentication (MFA).
Plaintext Passwords Exposed
According to Hackmanac’s post on X, the leaked credentials reportedly contain:
Login Emails: Common domains such as @gmail.com, @yahoo.com, @hotmail.com as well as TLD-specific and country-centric addresses.
Plaintext Passwords: Both unique and frequently reused strings, many exhibiting strong complexity, raising concerns about password reuse across platforms.
Associated URLs: Direct PayPal endpoints, including URIs for /signin, /signup, /connect, and Android mobile APIs.
Variants: Credentials embedded in regular PayPal links, country-specific domain formats, and mobile integrations.
The forum post further displays a sample “code” snippet showing the raw format—email:password:url—enabling credential stuffing attacks, targeted phishing, and large-scale fraud.
The threat actor notes a leak date of May 6, 2025, and describes the dump as suitable for use in phishing campaigns and security testing by malicious parties.
TroyHunt added that “Given passwords definitely didn’t come from PayPal in plain text, they’ve either been obtained another way (info stealer, credential stuffing) or there’s another explanation for this claim.”
Security Measures for PayPal Users
While cybersecurity experts have not independently verified the full authenticity or scope of the dump, industry sources and threat intelligence feeds are actively monitoring related indicators.
If confirmed, such a breach would pose severe risks where attackers can automate login attempts across PayPal and other web services, exploiting reused credentials.
The leak can enable highly targeted social engineering, using valid emails and password hints. Easy access to valid credentials could facilitate unauthorized transactions, banking fraud, and identity theft.
Immediate action for all PayPal account holders includes resetting passwords on PayPal (and associated accounts), especially if reused elsewhere.
Enable multi-factor authentication (MFA), monitor account activity for suspicious transactions, and remain vigilant for phishing attempts using breached email addresses.
Security analysts underscore that this incident exemplifies the urgent need for robust password hygiene and use of MFA across financial and online services.
Organizations are advised to rapidly update breach detection rules for associated email and URL patterns, and end-users should never reuse passwords across critical accounts.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
