Attacks don’t stop at one company. Reused credentials and phishing domains make every business a target.

The PayPal “Hack” That Shook Confidence

In May 2025, headlines screamed that nearly 16 million PayPal accounts had been hacked. Hackers claimed to be selling a massive dataset of email and password pairs on a dark-web forum. The news rattled PayPal’s users and fueled social chatter about whether the platform could be trusted.

But the story was more complicated. Security researchers quickly pointed out that the dataset resembled infostealer malware logs—collections of usernames and passwords quietly harvested from infected personal devices. PayPal denied that its systems had been breached, pointing instead to an earlier 2022 credential-stuffing incident in which 35,000 accounts were compromised.

Whether the 2025 claims were real or recycled, the outcome was the same: trust eroded. Users questioned whether their money was safe. Regulators had already fined PayPal $2 million for prior lapses. And the brand took another reputational hit—without a single line of PayPal code necessarily being broken.

This is the reality of modern cybercrime: credential stuffing, not direct system hacks, drives many of today’s “breaches.”

What Exactly Is Credential Stuffing?

Credential stuffing is one of the simplest yet most effective attacks online. Instead of guessing passwords from scratch, attackers use already stolen logins—harvested from past breaches or infostealer malware—to try logging into other services.

Think of it this way: if a user reuses the same email and password for PayPal, Gmail, and their online bank, one compromised account becomes the key to many doors.

The scale is staggering. A 2020 Atlas VPN study estimated 3.6 million credential-stuffing attempts every hour, resulting in $6.4 billion in damages between 2015 and 2020. With more than 11 billion stolen credentials circulating online, attackers have endless fuel for automated campaigns.

While each login attempt has a low probability of success—perhaps 0.1 to 2%—attackers make up for it in volume. Bots can hammer websites with hundreds of thousands of attempts in minutes, often disguising themselves as legitimate traffic.

Why the PayPal Headlines Matter

Even if PayPal wasn’t breached in 2025, the perception that it was created lasting damage.

• Public trust dropped. YouGov’s BrandIndex reported PayPal’s “word of mouth” score falling from nearly 20% in April 2025 to 17% by June, as security-conscious users soured on the brand.

• Regulators had leverage. Earlier in the year, New York regulators fined PayPal for failing to prevent the 2022 credential-stuffing attack. “Not a breach” is little comfort when regulators expect proactive defense.

• Attackers exploited confusion. By labeling recycled data as a “PayPal breach,” criminals made their stolen logs more marketable. Headlines gave cover to the sale.

The lesson? Perception becomes reality. Even if your systems aren’t compromised, stolen user credentials can damage your reputation, trigger fines, and drive customers away.

How Credential Stuffing Works in Practice

Credential stuffing often begins with infostealer malware—malicious software that hides on a user’s device, collecting passwords, browser cookies, and saved credit card numbers. These logs are packaged into neat files, often formatted as email:password:url, and sold cheaply on criminal forums.

Attackers then deploy automated tools to replay those credentials across high-value targets—banks, e-commerce sites, SaaS platforms. The process is relentless, and even a fraction of successful logins can mean thousands of compromised accounts.

The weak points are familiar:

• Password reuse across multiple services.

• Reliance on SMS codes instead of stronger MFA.

• Slow password-change habits, leaving stolen logins exploitable for months or years.

Defending Against Credential Stuffing

There are two fronts in this fight: user hygiene and organizational defense.

For users:

• Use unique, complex passwords for every account.

• Rely on a password manager to generate and store them securely.

• Enable multi-factor authentication (MFA) with authenticator apps or passkeys, not SMS.

• Regularly check whether credentials have appeared in breaches via services like HaveIBeenPwned.

For organizations:

• Monitor for credential leaks and dark-web chatter involving your brand.

• Detect and take down phishing domains that trick users into handing over logins.

• Implement rate-limiting and bot detection to identify automated login attempts.

• Strengthen infrastructure resilience with DNS monitoring, DNSSEC validation, and SSL/TLS oversight.

Closing the Blind Spots with DomainSure

Credential stuffing thrives in the blind spots most businesses overlook: fake login portals, typosquatted domains, and subtle DNS anomalies that slip past standard security tools.

That’s why we built DomainSure. Our platform brings 20+ years of DNS expertise to protect your naming infrastructure—the attack surface criminals target first when stealing or replaying credentials.

With DomainSure, your team gains:

• Phishing detection & takedowns — We identify lookalike domains and take them down before they harvest credentials.

• Continuous DNS & SSL monitoring — Alerts on unauthorized changes, expired certificates, or DNSSEC failures.

• Dark web scans — Early warnings if your brand or domains appear in criminal chatter.

• Business continuity protection — From backups to instant DNS failover, so operations stay resilient even under attack.

Credential stuffing may exploit users, but the brand fallout always lands on the enterprise. DomainSure closes the gaps so your reputation, your customers, and your operations stay secure.

Conclusion

The PayPal story is a cautionary tale. It wasn’t just about one dataset or one company—it was about how reused credentials and phishing infrastructure spread risk everywhere.

Attackers don’t need to break your systems. They only need one careless password, one fake login page, one overlooked DNS change.

With billions of stolen logins in circulation, the question isn’t if your brand will be tested by credential stuffing—it’s when.

The right time to close your blind spots is before the headlines arrive.

Apply for a Domainsure Invite

Get a Free Domain Health Check

• Enter Your Name
• Free domain health check:
• Enter Your Email
• Phone
  This field is for validation purposes and should be left unchanged.

Due to high demand: allow up to 24 hours for report delivery.