BigTech CompaniesCybersecurityFintechNewswire

PayPal Data Breach Exposed User Info for 6 Months

▼ Summary

– PayPal experienced a data exposure due to a software error in its Working Capital loan application, which lasted from July 1 to December 13, 2025.
– The exposed personal information included names, Social Security numbers, dates of birth, and contact details for a small number of customers (approximately 100).
– PayPal fixed the error by rolling back the code change one day after discovery and has reset passwords for affected accounts.
– The company is offering affected customers two years of free credit monitoring and has refunded unauthorized transactions linked to the incident.
– This follows previous security issues, including a 2022 credential stuffing attack and a subsequent $2 million settlement with New York State in 2025.

PayPal has informed a group of customers about a significant exposure of their personal data, stemming from a software flaw within its loan application platform. The issue left sensitive details vulnerable for nearly half a year, highlighting ongoing challenges in digital financial security. The incident specifically involved the PayPal Working Capital (PPWC) application, a service designed to offer swift financing solutions to small businesses.

According to notifications sent to users, the company identified the problem on December 12, 2025. An investigation revealed that a code change implemented on July 1, 2025, had inadvertently made certain customer information accessible to unauthorized parties. The exposed data included full names, email and physical addresses, phone numbers, dates of birth, and critically, Social Security numbers.

PayPal moved swiftly to address the technical failure, rolling back the problematic code change by December 13, 2025, which effectively cut off any potential access to the data. The company emphasized in its communications that the notification to customers was not delayed due to any law enforcement request. As a direct consequence of this data exposure, the company confirmed that a limited number of customer accounts experienced unauthorized transactions; those individuals have reportedly received full refunds.

In response to the breach, PayPal is providing affected users with a complimentary two-year subscription to Equifax’s three-bureau credit monitoring and identity restoration services. Enrollment for this protection must be completed by June 30, 2026. The company has also proactively reset passwords for all impacted accounts, requiring users to establish new credentials upon their next login attempt.

Customers are strongly advised to remain vigilant. They should regularly review their account statements and credit reports for any unusual activity. PayPal also reiterated a crucial security reminder: the company will never ask for passwords, one-time passcodes, or similar authentication details via phone call, text message, or email. Such requests are hallmark tactics of phishing scams, which often surge following data breach announcements.

This event follows other security challenges for the payments giant. In early 2023, PayPal notified customers about a separate incident where a credential-stuffing attack compromised approximately 35,000 accounts over a two-day period in December 2022. Subsequently, in January 2025, New York State authorities reached a $2,000,000 settlement with PayPal over allegations that its cybersecurity practices failed to meet state regulations, contributing to the earlier breach.

In a later clarification, a PayPal representative stated that the company’s internal systems were not directly compromised by an external breach. They characterized the issue as a potential exposure affecting roughly 100 customers, prompting the mandated outreach and notification to those individuals.

(Source: Bleeping Computer)

Topics

data breach 100% paypal incident 95% personal information 90% software error 85% unauthorized access 80% breach notification 75% credit monitoring 70% password reset 65% unauthorized transactions 60% phishing awareness 55%