PayPal is notifying a small group of customers that a software glitch in one of its business loan platforms exposed sensitive customer information for nearly six months in 2025. The issue affected the company’s PayPal Working Capital (PPWC) loan application, a financing tool designed to provide small businesses with quick financing.
The company says the incident was caused by a coding mistake — not a full-scale system breach — and affected roughly 100 customers.
How The Exposure Happened
According to PayPal, the problem began on July 1, 2025, when a code change in the PPWC loan application inadvertently made certain personal data visible to unauthorized individuals. The issue was discovered on December 12, 2025, and the faulty code responsible for the error was rolled back the following day.
Although PayPal clarified that its broader systems were not breached, the incident involved unauthorized access to personal data due to a coding error.
“On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025,” PayPal said in breach notification letters sent to affected users on February 10, 2026.
PayPal further added that it did not delay disclosure because of any law enforcement investigation.
What Information Was Exposed
The exposed data may have included highly sensitive personally identifiable information (PII), such as:
- Name
- Email address
- Phone number
- Business address
- Social Security number
- Dates of birth
Since Social Security numbers and dates of birth were involved, experts warn that the affected customers could face an elevated risk of identity theft, financial fraud, and targeted phishing attacks.
Unauthorized Transactions Reported
PayPal confirmed that a small number of affected customers experienced unauthorized transactions on their accounts as a direct result of the incident. The company has since issued refunds to those users.
All affected accounts have had their passwords reset, and enhanced security controls have been implemented. Customers who have not yet updated their credentials will be prompted to create a new password the next time they log in.
Credit Monitoring And Safety Advice
To help protect affected users, PayPal is offering two years of complimentary three-bureau credit monitoring and identity restoration services through Equifax. Customers must enrol by June 30, 2026, to take advantage of the offer.
The company is also urging affected users to:
- Remain vigilant by reviewing account activity and transaction history
- Review free credit reports regularly
- Be cautious of phishing attempts
- Avoid sharing passwords or one-time codes via phone, email, or text
PayPal reiterated that it never asks customers for passwords or authentication codes through unsolicited calls, texts, or emails — a reminder that scammers often exploit breach disclosures to launch follow-up attacks.
Not The First Security Incident
This is not the first time that PayPal has had cybersecurity trouble. In January 2023, the company disclosed that nearly 35,000 customer accounts were compromised between December 6 and December 8, 2022, in a credential stuffing attack.
Further, in January 2025, New York State announced a $2 million settlement with PayPal over allegations that it failed to comply with state cybersecurity regulations tied to that earlier breach.
While the latest incident appears limited in scope, it serves as another reminder of how even minor software errors can create serious privacy risks — especially when sensitive financial and identity data is involved.
