What You Need to Know about the PayPal Data Breach
Table of Contents
- Published: Aug 27, 2025
- Last Updated: Aug 27, 2025
PayPal was established in 1998 by Peter Thiel, Luke Nosek, and Max Levchin. The application's goal was cybersecurity for handheld devices before pivoting to a digital wallet. It merged with X.com in 2000 and was later rebranded for online payment systems. After spinning off from eBay in 2015, the platform expanded globally to democratize financial services to ensure everyone can access convenient products. This ensured that every person, regardless of their region or economic ability, has access to affordable and secure services.
Despite the company’s background and current measures, PayPal suffered a data breach in which criminals posted a dataset of 15.8 million credentials. The hackers responsible claim the data was stolen in May 2025. However, PayPal claimed that the dataset resulted from an attack that happened in 2022. This incident exposed names, dates of birth, addresses, and social security numbers. The organization also emphasized that its internal systems were not breached, attributing it to cybercriminals who used credentials from other posted sources.
When was the PayPal Data Breach
The most significant PayPal data breach occurred in December 2022. Between December 6 and 8, 2022, unauthorized parties broke into the company’s systems and accessed 35,000 customer accounts by credential stuffing. The criminals used usernames and passwords that were previously compromised from other sources to infiltrate and obtain the larger dataset.
As a result, highly sensitive information, including addresses, birth dates, names, and social security numbers, was exposed. In August 2025, another group of hackers claimed to be selling an estimated 16 million credentials dataset, which was apparently stolen in May 2025. PayPal has consistently denied the occurrence of the new breach, claiming that it was linked to the 2022 incident.
By this logic, the 2022 event was a targeted incident, but the recent 2025 data breach was probably an aggregation of the stolen credentials over several years. Criminals have compiled and resold these. PayPal emphasizes that the core systems were not compromised in either circumstance, though this case does highlight the threat of credential vulnerability.
How to Check If Your Data Was Breached
You could take a few steps to determine if your information was exposed in the PayPal breach. PayPal directly notified anyone who was affected during the data breach. Check official channels, such as email or mail, for communication from the company concerning a security breach. For the 2022 incident, PayPal notified each of the 35,000 affected individuals and gave them two years of free credit monitoring via Equifax.
If you got the offer, there is a significant chance that your information was part of the dataset. Alternatively, if you have not seen emails in the main folder, check the spam section to see if any communications were sent concerning a data breach. Aside from waiting for notifications, you may use cybersecurity websites and tools. Some services, like Have I Been Pwned, allow users to search their email or phone number to see if it features in data leaks.
Regardless of what you find, the best thing to do is to change the credentials on your PayPal and the other financial accounts on your devices.
What to Do If Your Data Was Breached
If you are confirmed to be exposed to the breach, immediate action is required to mitigate the current risk. The first order of business should be to change your credentials for the affected service. That also means changing the passwords if they were used on other accounts. Using unique passwords or a manager to store the credentials is also advisable so you do not need one for several accounts.
Enable multi-factor authentication on each account because this adds a layer of security. You may also contact the bank and credit card firms to alert them. This is so they can monitor any suspicious transactions. You may set a credit freeze or fraud alert with the main credit bureaus, like Equifax or Experian. They may also proactively notify lenders processing credit applications in your name to take steps for identity verification.
It reduces the potential for criminals to open new accounts in your name. Take advantage of the organization's free credit monitoring or identity protection options. Be vigilant by reviewing statements and credit reports for unauthorized activities. Scammers may typically use news of a data breach to send emails with the hope of harvesting more information.
Are There Any Lawsuits Because of the Data Breach?
In the first instance, PayPal faced litigation because of the 2022 data breach. Two customers filed class action suits in the Northern District of California on March 2, 2023. The plaintiffs maintained that PayPal should have known its computer systems were inadequate to safeguard users' personal information. Claimants indicated these breaches left them and other members in the suit at risk of identity theft.
They subsequently sought monetary damages and reimbursement for the resources spent addressing the breach. This breach also attracted scrutiny, which led to a $2 million settlement with the New York State Department of Financial Services. The recent incident may also attract litigation, especially if it proves to be a new separate attack.
Can My PayPal Information Be Used for Identity Theft?
The personal information compromised in a data breach can be leveraged for identity theft. This exposed information included addresses, names, social security numbers, and tax identification numbers. With this data, criminals can commit several fraudulent actions like opening new lines of credit, applying for loans, or filing fake tax returns. The theft of a Social Security number is especially damaging because it is an identifier that cannot be easily changed. If notified that your data was involved, take steps to freeze credit with the main bureaus and monitor financial statements.
What Can You Do to Protect Yourself Online?
Despite PayPal’s claim that the new dataset was obtained from other compromised sources over the years rather than a new breach, users must be vigilant. At the end of the day, the security of your personal data primarily lies with you. The following are a few things you could do to ensure your protection. The following are a few things you could do to protect yourself online:
- Change the credentials on your financial accounts to reduce the chances of infiltration. Use strong passwords or a manager to avoid having the same passwords for multiple accounts.
- Enable two-factor authentication on your mobile devices as an extra layer of protection. This would prompt you to verify your identity when accessing your accounts.
- Update your software and install an antivirus program on your devices to keep them updated.
- Beware of phishing, which may appear in emails or calls from individuals purporting to be PayPal. Also, avoid downloading attachments from unconfirmed organizations.
- Do not send sensitive materials using public Wi-Fi. Using your network at home is advisable as there is less infiltration risk.
