Related Links

  • PayPal
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories


How much is your stolen PayPal data worth?

05 October 2011

It seems that compromised PayPal account data – usually sourced via phishing attacks – now has a typical cybercriminal value, much as stolen credit and debit card credentials have had for some time.

And as with all tradable commodities – rather like cigarettes and stockings after the Second World War – an exchange now exists to trade those stolen PayPal identities.

According to security researcher Brian Krebs, after tracking stolen PayPal accounts to an exchange – – he has made the interesting conclusion that, whilst many accounts for sale on the site have a zero balance, they are still worth hard cash to cybercriminals.

This is, he says, because the accounts sold on have verified bank accounts attached to them – meaning, Infosecurity notes, that direct debit, check-free or similar near-instant account withdrawals can be triggered and loaded into the PayPal account. And as an added bonus, many of the stolen PayPal accounts also have a debit or credit card attached to them.

In his latest security posting, the Krebs on Security researcher asserts that the creator of also advertises private, bulk sales of unverified PayPal accounts at the bargain rate of $50.00 per 100 accounts.

“Accounts are sold with or without email access”, he says, adding that email-enabled accounts also come with the user name and password of the victim's email account that is linked to their PayPal registered account, all of which appear to have been stolen using phishing attacks.

Krebs goes on to say that it's not clear how the site operator prices the verified PayPal accounts, as prices seem to vary – from $2.50 for verified accounts with a balance of up to $10.00, and between 8 and 12% of the balance available for higher in-credit accounts.

“For example, one account - apparently taken from a hapless victim named Abigail - has a current balance of $121.07, and is being sold for $15.00”, he notes.

“Another account, from Glynn in Tallmadge (Ohio?) has a hefty balance of $1,102.37; its sale price was set at $45.00 Taking a look at the domain name in Gwynn’s email address, I decided she must work at or for Gambit Systems, a software development firm in Akron, Ohio. I sent an email to the administrator at that company, who passed on the information and confirmed that PayPal had since locked down Gwynn’s account”, he says.

Unsurprisingly, Krebs also reports that the operator of operates a carder forum where all sorts of stolen goods and services – including payment card credentials – can be traded.

This article is featured in:
Data Loss  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×