PayPal data breach: what you need to know, and how to protect your account and funds

Cybercriminals have long had a special interest in financial platforms like Cash App or Venmo, and for good reason. These services attract millions of users and store a wealth of personal and financial data.

PayPal is no exception. The company has experienced at least two cybersecurity incidents in recent years. The first PayPal data breach happened in 2022, affecting about 35 thousand people and costing the company two million dollars in fines. The second PayPal data leak is not entirely clear, but it seems that someone got a hang of PayPal user credentials in 2025. 

This article will break down the two incidents, explore what happened and who was affected, and offer practical advice on how to protect yourself. 

Has PayPal ever been hacked?

Yes and no. There is no simple answer to this question. PayPal, just like Amazon, has been caught up in a couple of cybersecurity incidents, but none of them involved hackers breaching its internal systems or extracting credentials directly from the company.  

So how is that possible? The explanation lies in the nature of the incidents. A system breach is distinct from an account compromise as a result of a credential stuffing attack (the type of attack Paypal suffered in 2022):

• A system breach is an unauthorized access to a company’s internal infrastructure, databases, and servers, often caused by a failure in the company’s cybersecurity and ability to protect its data.
  
• An account compromise happens when hackers gain unauthorized access to a customer account, using valid credentials that could be previously leaked or guessed. These attacks may succeed due to weak or reused passwords, indicating consumers’ failure to protect themselves.

As of now, there is no evidence that PayPal has ever suffered a system breach. Its users did experience account compromise, though. This was a result of various hacking techniques: credential stuffing, phishing, and probably the infostealer malware. 

Data breach 2025: PayPal hacked?

What do we know about the recent PayPal data leak? 

In May 2025, a cybersecurity researcher, Jeremiah Fowler, discovered an unprotected database containing 47 GB of data. There were approximately 184 million records, including PayPal login credentials. 

The database contained email addresses, usernames, passwords, banking credentials, login information for health platforms, and even government portals. PayPal was just one of the platforms affected by the leak. There were also mentions of Microsoft, Facebook, Snapchat, Roblox, Discord, Netflix, Amazon, Apple, Nintendo, Spotify, Yahoo, and others.

Fowler secured the database and reported the incident to the eligible hosting company, World Host Group. Still, there is no way of knowing if someone else accessed the sensitive information before he found it.

It’s also not clear who collected the data, from where, or why. It likely happened using a type of malware called infostealer. According to Fowler, “It is highly possible that this was a cybercriminal. It’s the only thing that makes sense, because I can’t think of any other way you would get that many logins and passwords from so many services all around the world.”

What happened in the 2022 PayPal data breach?

How did the breach unfold?

Between December 6 and 8, 2022, hackers gained access to approximately 35 thousand PayPal user accounts through credential stuffing. The PayPal breach exposed users’ personal information and IRS 1099-K forms generated by PayPal for tax purposes.

Credential stuffing is a hacking technique that involves using login credentials leaked in other data breaches. The process is automated, with bots trying numerous stolen credentials at a great speed. Obviously, that is only possible when people reuse passwords across different platforms. 

The company learned about the incident on December 20, 2022. On January 18, 2023, PayPal filed an official notice with the Office of the Maine Attorney General and sent a notice of security incident to all affected users. 

What data was compromised?

The attackers gained access to users’ PayPal accounts and 1099-K forms, so both personal and financial information were exposed:

• Personal identifiable information: full names, street addresses, dates of birth (DOBs), and email addresses.
  
• Government-identifiable information: social security numbers (SSNs) and tax identification numbers (TINs).
  
• Financial information: PayPal balance, transaction history, and linked bank account numbers.

How did PayPal respond?

PayPal locked the compromised accounts and implemented the following safety measures:

1. Affected users had to reset their passwords when logging in again.
2. All users had to solve stricter CAPTCHA challenges to prove they were not bots.
3. The number of unsuccessful login attempts was limited within a certain timeframe.
4. Confidential information, such as SSNs and TINs, was partially masked. 

PayPal offered everyone impacted two years of free credit monitoring, fraud alerts, identity restoration services, and ID theft insurance coverage of up to $1 million. These services were provided by Equifax.

Legal and financial consequences after the PayPal data breach 2022

Class action lawsuit filed in California

On March 2, 2023, plaintiffs Ashley Pillard and Destiny Rucker filed a class action lawsuit against PayPal in a California federal court. They represent a nationwide class of people affected by the PayPal data leak, but also the Nebraska and Texas subclasses. 

PayPal is accused of being negligent with the users’ sensitive information, breaching the contract, and not notifying its customers on time. According to Pillard and Rucker, the PayPal security breach will always be a risk for ID theft, which is essentially true.

The plaintiffs are looking to get compensation for the expenses they incurred due to the breach. They also want PayPal to improve its security measures, perform annual audits, and provide credit monitoring services. 

$2 million penalty from NYDFS

The 2022 PayPal breach caught the attention of regulatory agencies, too. The New York State Department of Financial Services (NYDFS), which oversees financial institutions and payment platforms like PayPal, investigated the incident. 

They discovered that PayPal changed the way the 1099-K tax forms were classified and displayed to users. And that process didn’t roll out smoothly. “The teams tasked with implementing these changes were not trained on PayPal’s systems and application development processes. As a result, they failed to follow proper procedures before the changes went live,” NYDFS explained. 

The platform also didn’t have CAPTCHA protections, rate limiting, or multifactor authentication (MFA). These factors contributed to the PayPal security breach, and the company agreed to pay a $2 million fine within 10 days to settle the violation. 

Ongoing threats PayPal users face

PayPal account hack attacks

Many people keep reusing their one or two strong passwords across most platforms and remain blissfully unaware that their personal information has been compromised in a data breach. That’s how hackers still manage to use credential stuffing to access PayPal accounts. 

Targeted phishing attacks and spoofed messages

PayPal might be one of the most impersonated companies when it comes to phishing attempts. Users often receive emails that look like they are from PayPal, resembling the platform’s branding and email template.

Order confirmation scams

“Thank you for your PayPal purchase of $499.99. If you didn’t authorize this, click here to dispute.”

Imagine that you receive this sort of email. Seeing such a charge, most people start to panic before even verifying that the email is legitimate.

The fake email, of course, contains a malicious link that takes you to a fake PayPal login page, where you can quickly enter your credentials. This allows fraudsters to take over your account and steal your information and money. 

What to do if your PayPal account has been compromised

If you’ve been affected by any of the PayPal security breaches or fell victim to a convincing phishing attack, here is what to do next.

Reset your PayPal password immediately

The best way to instantly secure your account is to change your password and replace it with a strong and unique one. 

Update credentials on other accounts using the same login

If you’ve used the same login credentials on other platforms (which you know, by now, is a bad idea), make sure to update those too.

Check for suspicious activity in your key accounts

It’s essential to make sure nothing is going on with your accounts. So, review your logins and account activity:

• On PayPal: Navigate to Settings and look for logins from unknown devices or locations. Check if any of your account settings have been changed. Notice new payments or withdrawals you didn’t make.
  
• Bank and card accounts: Check the transaction history of the bank accounts and credit cards linked to PayPal. Pay special attention to tiny test transactions that fraudsters sometimes use before stealing larger sums. 
  
• Email accounts: Review security settings and login history.
  
• Other financial platforms and shopping sites. 

Remember to do this not only when you suspect a data breach, but on a regular basis. Make sure you have account alerts enabled.

Report unauthorised transactions to PayPal

If you notice a transaction that you didn’t make, go ahead and report it to PayPal’s Fraud Resolution Center immediately. Check out other PayPal guidance on what to do in case of a data breach here.

Enable two-factor authentication (2FA)

After the 2022 PayPal breach, the company made two-factor authentication (2FA) mandatory for all U.S. users. MFA is a great protection measure against account compromise, and not only for PayPal. 

Verification apps, like Google Authenticator, are a safer option for receiving the code than texts or email.

Check if your credentials were exposed

HaveIBeenPwned is a great tool to check if your email address has been leaked in a data breach. You could also set up a dark web report with Google and receive a notification if your sensitive information is detected on the dark web. 

Place a fraud alert or freeze your credit

There are a couple of ways to prevent financial fraud after the PayPal data breach:

• Place a fraud alert
  This urges creditors to take extra steps to verify your identity before approving your credit applications. You can set it up with any of the three main credit bureaus: TransUnion, Experian, or Equifax, and they will notify the other two.
  
• Freeze your credit
  This is the next-level safety precaution that will prevent anyone from getting credit in your name. It’s free to freeze and unfreeze your credit. If you wish to do so, you’ll have to contact each of the three major credit bureaus separately. 

How to protect your PayPal account going forward

Recognize phishing and scam tactics

Phishing, as a social engineering tactic, builds upon the victim’s fear and curiosity. Think about that the next time you receive an email that requests urgent action or feels too good to be true. It’s better not to click on any links and not download files. Instead, contact the sender directly through some other channel of communication. 

Understand how PayPal communicates

According to this article by PayPal, the platform communicates with users primarily via email. But, there are ways to tell apart a true PayPal email from a spoofed (fake) one:

• How does the email start?
  PayPal will always greet you directly by your name/business name, while fake emails tend to use more generic openers (e.g. Dear PayPal member…)
  
• Does it ask for sensitive information?
  PayPal will never ask for your personal, financial, or account information (name, bank account number, account password, etc). You won’t have to provide the tracking number of a dispatched item before receiving payment. They will also never ask you to provide the answer to your security question via email. 
  
• Does it ask for a software update?
  Past phishing emails have prompted users to update their software to keep using PayPal (with conveniently attached files or a link to do so). PayPal promises not to make such requests. 

Secure your environment

Although you shouldn’t fall for phishing emails urging you to update your software, it’s still important to do so to maintain a secure digital environment. Software updates contain important security updates and patch the gaps scammers may try to exploit. Make sure to update your devices, browsers, and antivirus software regularly.

If you are an advanced user who wants more robust security than a regular antivirus software, consider using an Endpoint Detection and Response (EDR) solution. EDR is a type of cybersecurity software that is similar to an antivirus, but better at monitoring your device, detecting threats, responding to attacks automatically, and providing reports. 

Use strong, unique passwords and consider a password manager

Memorizing a bunch of complex passwords is difficult. But that’s not an excuse to use the same one over and over. Get a password manager, an app that will brainstorm strong passwords for you and store them safely. 

Limit online exposure to reduce risk

Does it really matter where fraudsters get your personal information? Having a large digital presence is as much of a risk as any data breach. Consider minimizing the amount of information you reveal online and do your best to remove your personal information from data broker websites. Onerep has automated the opt-out process with 200+ data brokers and can help if you want to save time and delegate the task.

FAQ

Has PayPal been hacked recently?

There is no evidence to suggest that PayPal was hacked. But, an unprotected database containing PayPal login credentials, among others, has been recently discovered. It’s not clear what exactly happened.

Can someone steal money with my PayPal info?

Your personal info, along with financial info such as your credit card number, can indeed be used to steal your money. 

Is PayPal safe to use after a breach?

PayPal has improved its cybersecurity after the 2022 incident. But no platform, no matter how robust, can be considered 100% safe. Many people rely too heavily on organizations to protect their privacy and underestimate the impact personal cybersecurity measures can have.