More than 15.8 million email and plaintext password pairs purportedly stolen from PayPal have been promoted to be on sale by threat actor "Chucky_BF" on a hacking forum, according to HackRead.
Also included in the 1.1 GB data trove, which is being peddled for $750, were several records with PayPal service-linked URLs, noted Chucky_BF's listing, which also mentioned references to various endpoints and Android-specific URIs. Further analysis of the data dump showed not only Gmail addresses and passwords directly associated with the login pages of PayPal but also the inclusion of test or fake accounts, with Chucky_BF admitting the prevalence of reused passwords in the trove. PayPal has yet to confirm the veracity of Chucky_BF's claims. However, with the platform never experiencing any direct data compromise, researchers suspect that information included in the dump may have been obtained from various information-stealing malware logs.
