www.theregister.com 2025/08/28/ -
US payments platform back in action, says it's informing affected customers
Shoppers and merchants in Germany found themselves dealing with billions of euros in frozen transactions this week, thanks to an apparent failure in PayPal's fraud-detection systems.
According to the Association of German Banks, the problem hit on Monday when banks noticed a slew of recent unauthorized direct debits from PayPal. The body said the banks responded in various ways, which is one way of putting it – the Süddeutsche Zeitung reported that some stopped all PayPal transactions, with the total number of frozen payments likely to be around €10 billion.
A spokesperson for the German Savings Banks Association (DSGV), which represents hundreds of regional banks across the country, confirmed the issue to The Register. The DSGV said PayPal had assured it the problem was resolved, adding that PayPal payments had been running smoothly since Tuesday morning and the US payments platform was informing affected customers "directly."
The DSGV said the unauthorized payments had a "significant impact on transactions throughout Europe, particularly in Germany." However, there have been no confirmed reports of the incident being felt outside Germany. Austrian media reported that the banks there had seen no problems.
PayPal is the most popular method of online payment in Germany, having been used for 28.5 percent of online purchases last year, according to research by the EHI Retail Institute. (The next most popular option is buying on account.)
That's largely down to PayPal's payment protection, which appeals to privacy-conscious Germans. In the wake of the unauthorized direct debit issue, financial industry consultant Peter Woeste Christensen told local media that PayPal's particular strength in Germany was partly thanks to the poor user experience of German banks' own apps.
PayPal had not responded to The Register's request for comment at the time of publication, although SZ quoted a spokesperson as saying PayPal had quickly identified the cause and was working with banks to "ensure all accounts are updated." The US company referred to the incident as a "temporary service interruption."
PayPal's reputational hit in Germany is likely to be exacerbated by last week's reports of hackers offering millions of PayPal credentials that they claimed PayPal had recently exposed in plaintext. The hackers' claims appear dubious, with PayPal denying any recent breach, but the reports gained significant traction in Germany.
"It's possible that the data is incorrect or outdated," read a Wednesday advisory from the German consumer organization Stiftung Warentest, which bundled the leak report with this week's snafu. "Nonetheless, PayPal users should change their passwords as a precaution."
hackread.com August 18, 2025 - A seller named Chucky_BF is offering 15.8M PayPal logins with emails, passwords, and URLs. The data may come from infostealer malware logs.
A threat actor using the name Chucky_BF on a cybercrime and hacker forum is advertising what they claim to be a massive PayPal data dump. The post describes a trove labeled “Global PayPal Credential Dump 2025,” allegedly containing more than 15.8 million records of email and plaintext password pairs.
The size of the dataset is said to be 1.1GB, and according to the seller, the leak covers accounts from many email providers and users in different parts of the world. What makes this claim threatening is not just the number of exposed accounts but also the type of data said to be included. Other than the email and password combinations, the seller mentions that many records come with URLs directly linked to PayPal services.
Endpoints like /signin, /signup, /connect, and Android-specific URIs are also referenced in the listing. These details suggest that the dump is structured in a way that could make it easier for criminals to automate logins or abuse services.
The description provided by Chucky_BF describes the dataset as a goldmine for cybercriminals. The threat actor claims the records are “raw email:password:url entries across global domains,” warning that this could lead to credential stuffing, phishing schemes, and fraud operations.
A closer look by Hackread.com at the samples posted in the forum shows Gmail addresses paired with passwords and linked directly to PayPal’s login pages, while another features a user account appearing in both web and mobile formats, showing that the same account details were found in different versions of PayPal’s services, both web and mobile.
The way the data is put together is also important. It seems to include a mix of real accounts and test or fake ones, which is often the case with stolen or old databases. The seller claims most of the passwords look strong and unique, but also admits many are reused. That means people who used the same password on other websites could be at risk well outside PayPal.
As for pricing, Chucky_BF is asking for 750 US dollars for full access to the 1.1GB dump. That figure positions it in line with other credential dumps of similar size sold in cybercrime markets, which often find buyers among groups looking to monetize stolen accounts through fraud or resale.
If the claims are accurate, this would represent one of the larger PayPal-focused leaks of recent years, with millions of users across Gmail, Yahoo, Hotmail, and country-specific domains implicated.
Infostealer Logs as the Likely Source
PayPal has never suffered a direct data breach in which attackers broke into its systems or stole millions of user records. Past incidents, including the one that involved 35,000 users, linked to the company have usually been the result of credential stuffing or data harvested elsewhere.
This makes it possible that the newly advertised dataset is not the product of a PayPal system breach at all, but rather the result of infostealer malware collecting login details from infected devices and bundling them together.
The structure of the dataset shown in the samples shared by the threat actor suggests it may have been collected through infostealer malware logs. Infostealers infect personal devices and steal saved login details, browser data, and website activity, which later appear in bulk on cybercrime markets.
The presence of PayPal login URLs and mobile URIs in this dump makes it possible that the information was gathered from infected users worldwide, then compiled to be sold as a single PayPal-focused leak.
Infostealer malware infecting devices worldwide is hardly surprising. In May, cybersecurity researcher Jeremiah Fowler discovered a misconfigured cloud server containing 184 million login credentials, including unique usernames, email addresses, and passwords, which he believes were likely collected using infostealer malware.
According to Hudson Rock, a cybercrime intelligence company, infostealer malware is easily and cheaply available on the dark web. The company’s research also revealed the scale at which these tools have successfully targeted critical infrastructure, including in the United States.
Researchers found that employees at key US defense entities such as the Pentagon, major contractors like Lockheed Martin and Honeywell, military branches, and federal agencies, including the FBI, have also fallen victim to infostealer malware.
As for PayPal, the company itself has not confirmed any such incident, and it is not yet clear whether the dataset is entirely authentic, a mix of real and fabricated records, or a repackaging of older leaks.
Hackread.com has also not been able to verify whether the data is genuine, and only PayPal can confirm or deny the claims. The company has been contacted for comment, and this article will be updated accordingly.
An ongoing PayPal email scam exploits the platform's address settings to send fake purchase notifications, tricking users into granting remote access to scammers
The incoming phone call flashes on a victim’s phone. It may only last a few seconds, but can end with the victim handing over codes that give cybercriminals the ability to hijack their online accounts or drain their crypto and digital wallets.
“This is the PayPal security team here. We’ve detected some unusual activity on your account and are calling you as a precautionary measure,” the caller’s robotic voice says. “Please enter the six-digit security code that we’ve sent to your mobile device.”
PayPal has alerted over 35,000 customers of a data breach revealing that their accounts were hacked between December 6th and 8th, 2022.
