Overview

• An actor using the alias Chucky_BF is advertising about 15.8 million PayPal account records for roughly $750, claiming a 1.1 GB set dated to May with email addresses and alleged plaintext passwords.
• Preview checks cited by Heise and HackRead found duplicate entries, test or fake accounts, and a structure typical of info‑stealer malware outputs, which analysts say points to aggregated or older sources.
• PayPal has not confirmed any intrusion, and Have I Been Pwned founder Troy Hunt says he has not seen the data and doubts it originated from PayPal servers, noting PayPal does not store passwords in plaintext.
• Hunt indicated the dataset is not currently indexed by HIBP and may never be if it surfaces as a low‑value aggregation; leak‑checkers can show email exposure but do not verify current passwords.
• Users are advised to change their PayPal password, enable two‑factor authentication or passkeys, review recent transactions, and contact PayPal or banks and retain evidence if suspicious activity appears.