 Updated February 22 with details of previous PayPal security incidents and warnings, further advice for those impacted by the confirmed PayPal Working Capital data breach, which prompted transaction refunds and account password resets, and as a statement from a PayPal spokesperson. Some PayPal users have started to receive email from the company confirming a data breach that exposed personal information to a threat actor who gained access to PayPal’s systems, leading to some seeing unauthorized transactions on their accounts and the resetting of passwords. Here’s what you need to know. A breach notification letter, which I have verified myself, has confirmed that some PayPal users have been impacted by a data breach after a hacker gained access to PayPal systems on July 1, 2025. The hacker apparently had access until December 12, 2025 when PayPal discovered the security incident. The breach, according to the notifications, which are dated February 10, impacted some users “due to an error in its PayPal Working Capital (“PPWC”) loan application.” It remains to be seen how the attacker access evolved, of course, as this remains something of a developing story and PayPal has yet to explain this in any detail beyond a “code change” being responsible. However, following publication of this article, a PayPal spokesperson provided the following statement: “When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.” I am currently awaiting clarification regarding the seeming disparity between the statement saying that “PayPal’s systems were not compromised,” and the notification, which stated that following an investigation, the company had “terminated the unauthorized access to PayPal’s systems.” I will add another update if and when such a clarification is forthcoming. “Upon learning about this unauthorized activity, we promptly began an investigation and took action to address this incident, including by taking steps to prevent unauthorized actors from obtaining further personal information,” the PayPal notification stated. It would, however, be nice to know why it took a whole six months for PayPal’s security team to notice the exposure to unauthorized individuals, as mentioned in the breach notification itself. That’s a huge window of opportunity for attackers, and we should be grateful that so few accounts were potentially impacted before it was closed for good. PayPal has also confirmed that “a few customers experienced unauthorized transactions on their account,” and we now know that this was a very small number, 100 according to the spokesperson who contacted me. PayPal confirmed that it has already issued refunds to those customers who were impacted. I have covered many previous PayPal security warnings, which have mostly concerned phishing attacks delivered by email, text, or phone, although, if you stretch back as far as 2023, there was another breach. I reported on this at the time, confirming that a total of 34,942 PayPal accounts had been accessed by attacks using a credential stuffing attack methodology. Such attacks involve threat actors deploying an automated process in an attempt to access accounts with login credentials that have been compromised in some way, often credentials that have been reused between accounts and subsequently breached at one of them. Lists of such breached credentials are readily available on the dark web. In December, 2025, I reported how attackers were using legitimate infrastructure to bypass email authentication protections when delivering malicious messages disguised as genuine PayPal support communications. On this occasion, the PayPal billing subscriptions feature was being abused by hackers in an attempt to steal your user account credentials. At the time, a PayPal spokesperson told me: “PayPal does not tolerate fraudulent activity, and we work hard to protect our customers from consistently evolving phishing scams. We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.” More complete details can be found on OUR FORUM.  Most iPhone owners have hopefully learned to manage app permissions by now, including allowing location access. But there’s another layer of location tracking that operates outside these controls. Your cellular carrier has been collecting your location data all along, and until now, there was nothing you could do about it. Apple just changed this in iOS 26.3 with a new setting called “limit precise location.” Cellular networks track your phone’s location based on the cell towers it connects to, in a process known as triangulation. In cities where towers are densely packed, triangulation is precise enough to track you down to a street address. This tracking is different from app-based location monitoring, because your phone’s privacy settings have historically been powerless to stop it. Toggle Location Services off entirely, and your carrier still knows where you are. The new setting reduces the precision of location data shared with carriers. Rather than a street address, carriers would see only the neighborhood where a device is located. It doesn’t affect emergency calls, though, which still transmit precise coordinates to first responders. Apps like Apple’s “Find My” service, which locates your devices, or its navigation services, aren’t affected because they work using the phone’s location sharing feature. Why is Apple doing this? Apple hasn’t said, but the move comes after years of carriers mishandling location data. Unfortunately, cellular network operators have played fast and free with this data. In April 2024, the FCC fined Sprint and T-Mobile (which have since merged), along with AT&T and Verizon nearly $200 million combined for illegally sharing this location data. They sold access to customers’ location information to third party aggregators, who then sold it on to third parties without customer consent. The feature only works with devices equipped with Apple’s custom C1 or C1X modems. That means just three devices: the iPhone Air, iPhone 16e, and the cellular iPad Pro with M5 chip. The iPhone 17, which uses Qualcomm silicon, is excluded. Apple can only control what its own modems transmit. Carrier support is equally narrow. In the US, only Boost Mobile is participating in the feature at launch, while Verizon, AT&T, and T-Mobile are notable absences from the list given their past record. Google also introduced a similar capability with Android 15’s Location Privacy hardware abstraction layer (HAL) last year. It faces the same constraint, though: modem vendors must cooperate, and most have not. Apple and Google don’t get to control the modems in most phones. This kind of privacy protection requires vertical integration that few manufacturers possess and few carriers seem eager to enable. Visit OUR Forum for more.  Cybersecurity Researcher Jeremiah Fowler uncovered a data leak of 149 million logins and passwords, and shared his findings with ExpressVPN. We are publishing his report to help the public stay informed and protected as part of our ongoing effort to highlight important security risks. The publicly exposed database was not password-protected or encrypted. It contained 149,404,754 unique logins and passwords, totaling a massive 96 GB of raw credential data. In a limited sampling of the exposed documents, I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts. This is not the first dataset of this kind I have discovered and it only highlights the global threat posed by credential-stealing malware. When data is collected, stolen, or harvested it must be stored somewhere and a cloud based repository is usually the best solution. This discovery also shows that even cybercriminals are not immune to data breaches. The database was publicly accessible, allowing anyone who discovered it to potentially access the credentials of millions of individuals. The exposed records included usernames and passwords collected from victims around the world, spanning a wide range of commonly used online services and about any type of account imaginable. These ranged from social media platforms such as Facebook, Instagram, Tiktok and X (formerly Twitter), as well as dating sites or apps, and OnlyFans accounts indicating login paths of both creators and customers. I also saw a large number of streaming and entertainment accounts, including Netflix, HBOmax, DisneyPlus, Roblox, and more. Financial services accounts, crypto wallets or trading accounts, banking and credit card logins also appeared in the limited sample of records I reviewed. One serious concern was the presence of credentials associated with .gov domains from numerous countries. While not every government-linked account grants access to sensitive systems, even limited access could have serious implications depending on the role and permissions of the compromised user. Exposed government credentials could be potentially used for targeted spear-phishing, impersonation, or as an entry point into government networks. This increases the potential of .gov credentials posing national security and public safety risks. The database had no associated ownership information so I reported it directly to the hosting provider via their online report abuse form. I received a reply several days later stating that they do not host the IP and it is a subsidiary that operates independently while still using the parent organization's name. It took nearly a month and multiple attempts before action was finally taken and the hosting was suspended and millions of stolen login credentials were no longer accessible. The hosting provider would not disclose any additional information regarding who managed the database, it is not known if the database was used for criminal activity or if this information was gathered for legitimate research purposes or how or why the database was publicly exposed. It is not known how long the database was exposed before I discovered and reported it or others may have gained access to it. One disturbing fact is that the number of records increased from the time I discovered the database until it was restricted and no longer available. The database appeared to store keylogging and “infostealer” malware, a type of malicious software designed to silently harvest credentials from infected devices. These files were different from previous infostealer malware datasets that I have seen because it logged additional information. The records also included the “host_reversed path” formatted as (com.example.user.machine). This structure is used to create an easily indexable way to organize the stolen data by victim and source. Reversing the hostname can also help avoid directory conflicts or as an attempt to bypass basic detection rules that look for standard domain formats. The system used a line hash as the document ID to ensure one unique record per unique log line. In a limited search of these hash and document IDs it was identified that they were indeed unique and returned no duplicates. The exposure of such a large number of unique logins and passwords presents a potentially serious security risk to a large number of individuals who may not know their information was stolen or exposed. Because the data includes emails, usernames, passwords, and the exact login URLs, criminals could potentially automate credential-stuffing attacks against exposed accounts including email, financial services, social networks, enterprise systems, and more. This dramatically increases the likelihood of fraud, potential identity theft, financial crimes, and phishing campaigns that could appear legitimate because they reference real accounts and services. For more visit Our Forum. |
Latest Articles
|