Crook offers 1,300 PayPal accounts, claims billions more are compromised

On Monday, a random posting to Pastebin offered 1,300 email addresses and passwords to anyone who happened to come across the file, and provided a sponsored link to what the post claims to be a file containing billions of PayPal accounts.

The post on Pastebin records the email address and password for 1,300 people, and claims to be a list of PayPal accounts. There is an Ad Fly link to what’s said to be a downloadable master list of 23,873,667,087 hacked accounts. Aside from loading an Ad, the link itself is dead, as the download domain doesn’t exist anymore.

But there’s plenty to question when it comes to the authenticity of the list.

A search of some of the disclosed email addresses show the exact list posted anonymously to Pastebin on November 28, but without the PayPal claims.

The list posted twice more over the following days, but each post was claimed by two different hackers – Madridninitoz and Fall9100.

[ TIPS: 7 security maneuvers to stay ahead of password exposures ]

What’s more, depending on where the list was posted, the claim is that the list is either a generic set of email usernames and passwords; compromised PayPal accounts; or PayPal accounts associated with IMVU-based purchases.

For those not familiar, IMVU is similar to Second Life, as it’s a metaverse with its own economy and currency.

So the lists are highly questionable, and there is no way to prove that IMVU or PayPal have been compromised. For that matter, 23 billion accounts is an insane number, considering that based on figures from 2013, there are just over 7 billion people on Earth.

Salted Hash has reached out to IMVU and PayPal for comment, and shared the list of names with each company so they can check their data and verify any problems.

For now, if you’re a user of either website and concerned, it might be wise to change your password just to be safe.

Again, the list is questionable, as are the claims that went out with it, but the fact remains that 1,300 people had their accounts dumped on the Web, so that’s worth looking into.

All of the accounts exposed by this circulated list have been added to the “Have I Been Pwned?” database, they’ll appear flagged by breaches marked November 28 and December 1.

This story will be updated as new information emerges.

Update 1:

PayPal has confirmed they’re checking the list and gathering additional information. While they haven’t offered any other confirmations, such as a confirmed a security incident, they also cast doubt on the claim that billions of accounts have been compromised – PayPal only has 173 million active customer accounts.

Update 2:

While searching for additional context, Salted Hash discovered another copy of this list posted to a semi-private forum. The person who posted it, “m0rg4n”, is also sharing compromised Facebook accounts in Israel, various compromised credit card accounts and the database configuration for a television station in Costa Rica.

What this means is that the information being circulated is likely unrelated to a breach at PayPal or IMVU. There’s nothing to prove that either of those companies has been compromised other than claims by the criminals circulating the data itself.

If anything, a better bet would be the data being shared was part of a Phishing campaign or harvested from a malware infested computers – perhaps both.

Update 3:

A PayPal spokesperson has stated that the company’s “security professionals have looked into the reports that our customer accounts were compromised, and we can confirm the reports are inaccurate.”

However, we’ve asked for additional clarification, because there is a chance that those accounts were tied not to PayPal directly, but to something related to PayPal and a third-party. We’ve asked PayPal to confirm that none of the accounts given to them to check are active PayPal customers, nor have they ever been associated with a PayPal product or service.