It's not just PayPal fraud per se. Leaking user's PayPal email address and password has a lot of other consequences. (Yeah yeah in theory you should use distinct passwords for different sites etc etc)
To log in paypal account password is enough, user-agent and IP/location can be faked. When you're in you get access to user's transaction history. Ouch.
I just spent 10 minutes navigating the Paypal website trying to activate 2-factor auth on my account. Apparently they don't even offer it, at least for Singapore accounts.
(Yes, that's pretty nasty - but is putting a poorly-secured "startup" online really any better?)