Back

paypal.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting PayPal, with over 53 million total events recorded between July 2025 and June 2026. A substantial portion of these events, approximately 47 million, are attributed to historical data breaches, while over 6.4 million are linked to active infostealer logs. The data suggests a broad impact, affecting both employees and clients, with client-related events significantly outnumbering employee events. The primary malware families observed are LummaC2, Redline, and Rhadamanthys, all known for credential harvesting and data exfiltration. The majority of the data originates from combolist sources, suggesting large-scale credential stuffing or account takeover attempts. Geographically, the United States, Brazil, and India show the highest concentration of affected entities.

Total Events

53,601,099
credential exposure events

Employee Affected Events

40,125
account email domain = paypal.com

Client Affected Events

53,560,974
service target = paypal.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
15,000,00010,000,0005,000,0000
peak month 12,698,006
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events6,443,806
Share12%
Data breaches
Events47,157,293
Share88%
Infostealer logs (12%)
6,443,806events
Data breaches (88%)
47,157,293events

40,125 compromised employee accounts pose an infrastructure risk, while 53,560,974 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender80,561
Windows Defender.3,573
Windows Defender McAfee1,053
McAfee911
Avast771
Windows Defender [ON]764
Malwarebytes757
Windows Defender Reason Cybersecurity691
Reason Cybersecurity537

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC21,107,005
Redline1,032,761
Rhadamanthys854,143
Vidar435,344
Acreed414,409
RisePro111,247
StealC109,396
Millenium47,624
Remus39,764

Top Login URLs

Top exposed services found in the event results

  1. 1paypal.com5,545,055
  2. 2https://www.paypal.com/signin4,208,091
  3. 3https://paypal.com4,086,394
  4. 4https://www.paypal.com3,417,224
  5. 5paypal.com/signin3,324,670
  6. 6www.paypal.com2,366,749
  7. 7www.paypal.com/signin2,055,093
  8. 8android://rF2BMtDX6N5uymxwf2Syvpr7kW1gTUHhATVyF8dhrmRE8mvmWQ1KwSOvcxAEnpM52kL_VrS3omH3kq-I6N6SRQ==@com.paypal.android.p2pmobile/1,748,673
  9. 9https://www.paypal.com/1,295,879
  10. 10https://paypal.com/signin1,028,794

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events416,648
Brazil
Events276,364
India
Events194,159
Philippines
Events172,037
France
Events167,437
Mexico
Events149,542
Spain
Events130,530
Germany
Events127,011

Country Breakdown

  1. 1United States416,648
  2. 2Brazil276,364
  3. 3India194,159
  4. 4Philippines172,037
  5. 5France167,437
  6. 6Mexico149,542
  7. 7Spain130,530
  8. 8Germany127,011

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Git48
Microsoft47
WordPress30
F517
Jira (Atlassian)13
Cisco (AnyConnect)12
Okta10

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11456,522
Windows 10 Enterprise x64425,616
Windows 11 24H2 build 26100 (64 Bit)354,587
Windows 10 22H2 build 19045 (64 Bit)311,059
Windows 10 Pro (10.0.19045) x64242,957

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
47,113,946
Combolist pools
43,347
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.