It's a bargain: More than 15 million login details for PayPal accounts are currently being offered on the internet. The user "Chucky_BF" only wants 750 US dollars for them. A good deal for criminals: they could go on a shopping spree with the data.
The data set contains email addresses, passwords, URLs - all in plain text, reports the cybersecurity website "Hackread". It is unclear whether the data is genuine. IT expert Troy Hunt points out in a post on X that the data cannot have come directly from PayPal, as the payment provider stores the passwords in encrypted form. Hunt founded the website "HaveIBeenPwned"a few years ago: Here you can check whether your email address appears in data leaks.
🚨Cyber Alert - PayPal‼️
Do you have a PayPal account? It might be time to change your password.
A threat actor using the alias "Chucky_BF" claims to be selling 15.8 million email and plaintext password pairs linked to PayPal accounts worldwide.
It is more likely that the data set was collected via phishing or malware attacks or compiled from older data leaks. This would also explain the discount price.
Given passwords definitely didn’t come from PayPal in plain text, they’ve either been obtained another way (info stealer, credential stuffing) or there’s another explanation for this claim 🤔 https://t.co/xmDyRaFbhL
Despite all doubts about the authenticity of the data, you should be careful. It cannot be ruled out that current and working combinations of email addresses and passwords can also be found in the collection. This is no reason to panic, but you should follow a few simple security tips: Last but not least, now is a good time to change your PayPal password.
How to protect your PayPal account
Always protect all your logins well, regardless of current hacks and leaks.
Never use passwords more than once! Set a separate password for each online service - such as Instagram, Netflix, Ricardo or PayPal. If you always use the same password, a single hack is enough for cyber criminals to gain access to all your services.
Activate two-factor authentication wherever possible! With two-factor authentication (2FA), you have to enter an actual code as a second step after the password or fingerprint scan in order to be able to log into an online service. These codes are often provided via an authentication app on your smartphone. Sometimes, however, they are also sent by email or text message. If you use 2FA, cyber criminals won't get far with just an email/password combination.
Choose a secure password! Use a random combination of upper and lower case letters, numbers and special characters. A password length of 16 characters is considered secure.
Use a password manager! These programs allow you to save numerous passwords for various internet services on your computer or smartphone. If required, they can generate complex passwords that cannot be easily guessed. To access the database, users only need a master password - they only need to remember this.