Change your password now.
dpa/picture alliance via Getty Images
A cybercriminal is now selling millions of PayPal usernames and passwords on an online forum, data PayPal told me comes from a 2022 breach. Unsurprisingly, this has triggered headline warnings (1,2) that will alarm millions of users.
The dataset being sold is not as large or as new as advertised — there are not 16 million passwords and it’s not a “massive 2025 PayPal breach.” But it does expose the extent of passwords that are weak and those that are reused across multiple platforms.
You can’t check whether your password is listed in this sale without buying the data for $750, and you certainly don’t want to do that. But if you haven’t changed yours in a while, it’s safest to assume it is and change it now anyway.
You should also ensure that you have enabled 2-Step Verification on your account. Use an authenticator app instead of SMS, which is inherently weak. If your device allows it, add a passkey which links your account sign-in to your device’s security.
Top 20 worst passwords.
NordPass
Finally, whether it’s an existing or a changed password, you should check it against the list of those that are easily hacked — either because they’re too weak or because they’re too obvious. Even if you’re not using a password manager to select strong, unique passwords, it’s critical you get them right.
The facts are stark.
CyberGhost
When it comes to passwords that are too weak, you should check the annual list from Hive Systems. This sets out why character length and a mix of upper and lowercase letters, numbers and symbols is so critical. It’s an easy-to-follow set of rules.
The other list is also updated annually. This one comes from NordPass and covers the “top 200 most common passwords.” There’s a little of everything here. Numbers, sports teams, pop groups, qwerty variants and kids names. All are to be avoided.
There’s a similar list available from CyberGhost, which groups awful passwords by theme rather than popularity. Given that “81% of all data security breaches are caused by weak passwords,” it’s worth a few minutes of your time to check the lists.
Given that most users do not use two-factor-authentication or regularly update passwords, it’s critical that you get this right. While the revitalized PayPal breach is in the headlines, you can start there. But do the same for all your accounts, especially banking and other finance platforms as well as email and cloud data storage.
 
                     
                            
 
                                                         
                                                         
                                                         
                                                         
                                                         
                                                        