heise PlusAbo
Anzeige

Alleged Paypal access data: Source not Paypal

A fence sells 15 million accounts with plaintext passwords that are said to come from PayPal. However, the source is unlikely.

listen Print view
A hand holds a smartphone up to the camera; the Paypal logo can be seen on the display

(Image: Nopparat Khokthong/Shutterstock.com)

2 min. read
Security
By

Reports are currently doing the rounds that Paypal has suffered a massive data leak. In an underground forum, a criminal with the handle "Chucky_BF" is allegedly selling around 15.8 million login credentials to PayPal – including plaintext passwords.

In an underground forum, the fence offers the access data to Paypal.

(Image: heise medien)

The data is said to be 1.1 GB in size and contains the log-in email addresses, plaintext passwords and linked URLs. This includes API endpoints and URLs such as /signin and /signup. The data does not appear to be properly sorted, as "Chucky_BF" admits that variants of it include Paypal links with embedded credentials, as well as country-specific domains or mobile formats. However, they are "a high risk for credential stuffing, phishing or fraud campaigns", the perpetrator advertises his offer. The alleged date of the data leak was May 6 of this year.

Data origin Paypal?

Troy Hunt, who runs the Have-I-Been-Pwned project, categorizes the data leak on X. He does not believe that PayPal itself is the source.

He estimates: "Since the passwords definitely did not come from PayPal in plain text, they were either obtained in another way (info stealer, credential stuffing) or there is another explanation for this claim."

The announced "jumble" of data also suggests that it did not originate from PayPal itself, but was compiled from other (older) dumps that were collected by info stealers, i.e. malware on victims' computers. Another indication of the rather poor quality of the data is the price that "Chucky_BF" is asking. He wants 750 US dollars for it. That is rather little for real, up-to-date PayPal access data.

Videos by heise

Even if the data was not stolen from PayPal, PayPal users should check whether there has been unauthorized access with their access data. They should also either activate multi-factor authentication or switch to passkeys straight away.

In the recent past, such findings of access data dumps have been making the rounds more frequently. They regularly turn out to be republications or remixes of old data from previous leaks. In June, for example, the excitement surrounding the discovery of 16 billion credentials was clearly exaggerated.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten