PayPal has confirmed a data breach linked to a software error in its PayPal Working Capital loan application that left sensitive personal information exposed for nearly six months in 2025, affecting approximately 100 customers whose names, business contact details, Social Security numbers, phone numbers and dates of birth were accessible to unauthorized individuals, prompting unauthorized transactions, account password resets and the offer of credit monitoring services as the company rolled back the offending code and implemented enhanced security controls.
Sources
https://www.itpro.com/security/data-breaches/everything-we-know-so-far-about-the-paypal-data-breach
https://www.inkl.com/news/paypal-confirms-data-breach-user-info-may-have-been-exposed-for-6-months-here-s-what-we-know-so-far
https://www.pymnts.com/cybersecurity/2026/paypal-working-capital-security-lapse-exposes-data-of-100-users
Key Takeaways
• A coding error in PayPal’s small-business lending app exposed personally identifiable information of about 100 users for roughly five to six months.
• Some affected customers experienced unauthorized transactions, leading PayPal to issue refunds, reset passwords and offer credit monitoring.
• The breach highlights concerns about delayed detection of internal software issues and potential downstream risks like phishing and identity theft.
In-Depth
In a troubling development for users of the popular digital payment platform, PayPal has acknowledged that a data breach linked to a flawed software deployment in its PayPal Working Capital loan application left sensitive customer information exposed for an extended period in 2025. The problem went undetected from July 1 until the company identified and rectified the issue on December 12, spanning roughly five to six months during which an error in the underlying code allowed unauthorized access to personally identifiable information. The company’s own breach notification letters, sent to customers in early February 2026, make clear that only a small subset of PayPal’s vast user base — approximately 100 customers — were directly affected, but the data exposed was among the most sensitive, including names, business contact details, Social Security numbers and dates of birth. While PayPal maintains that its systems were not “compromised” by an external cybersecurity attack, the fact that this exposure persisted for months before detection and remediation has raised alarm among security professionals.
Compounding concerns, some of the affected users experienced fraudulent transactions on their accounts during the breach period, prompting PayPal to issue refunds. In response, the company reset the passwords of impacted accounts and offered two years of free credit monitoring through a third-party service in an effort to mitigate potential misuse of personal data. Enhanced internal security controls were also implemented once the access was terminated. The limited scope of the breach, involving around 100 business users of the PayPal Working Capital product, contrasts with the platform’s much larger footprint, but the incident underscores a broader risk landscape where software vulnerabilities and coding errors can result in the exposure of deeply personal information.
Security experts have pointed out that the downstream effects of such breaches can extend well beyond the initial incident, with exposed email addresses and contact details providing fodder for phishing campaigns and identity theft attempts even after the primary breach has been contained. The fact that the breach persisted undetected for such an extended period invites questions about internal monitoring and auditing processes, particularly at a company that handles trillions of dollars in transactions and serves hundreds of millions of active accounts. Users are being advised to remain vigilant for suspicious outreach and to adopt stronger authentication practices, but the episode serves as a stark reminder that even major fintech platforms are not immune to internal software flaws that can have significant privacy and security implications.