PayPal Discloses Six-Month Data Exposure Caused by Software Error

PayPal is reporting a data breach affecting its PayPal Working Capital (PPWC) loan application. 

The incident was caused by a faulty code change implemented on July 1, 2025, within the PPWC application interface. The logic error allowed unauthorized access to personally identifiable information (PII). PayPal security teams identified the vulnerability on December 12 and rolled back the problematic code by December 13, 2025.

The compromised data includes:

• Social Security numbers
• Full names and dates of birth
• Business addresses
• Email addresses
• Phone numbers

The number of affected individuals is approximately 100. PayPal confirmed that a small subset of these users experienced unauthorized transactions, but the total financial value of these fraudulent charges was not disclosed.

PayPal began notifying approximately 100 affected customers in February 2026 and is providing two years of complimentary three-bureau credit monitoring and identity restoration services. Additionally, PayPal issued refunds to customers who suffered direct financial losses from unauthorized account activity resulting from the exposure.