PayPal has disclosed a data breach that exposed sensitive personal information for a subset of its customers, after a coding error in its PayPal Working Capital loan application left the data accessible for several months.
In notification letters dated February 10, 2026, PayPal informed affected individuals that it discovered the issue on December 12, 2025. According to the notice, a code change in the PayPal Working Capital (PPWC) loan application inadvertently exposed personally identifiable information (PII) to unauthorized individuals between July 1, 2025, and December 13, 2025. The company states that it has since rolled back the faulty code responsible for the exposure.
The incident did not stem from a traditional external intrusion such as ransomware or credential stuffing, but rather from what PayPal describes as an “error” in the PPWC loan application. While the company did not provide technical details about the vulnerability, it confirmed that unauthorized parties accessed customer data during the affected timeframe.
The exposed data may have included business contact information, such as names, email addresses, phone numbers, and business addresses. More critically, the compromised records could also have contained Social Security numbers and dates of birth, data elements that significantly increase the risk of identity theft and financial fraud.
PayPal is one of the world’s largest online payment platforms, serving more than 400 million active accounts globally and processing billions of transactions annually. Its PayPal Working Capital program provides business loans to merchants based on their sales history, offering streamlined access to funding directly through the PayPal ecosystem.
Upon identifying the issue, PayPal says it initiated an internal investigation and terminated the unauthorized access. The company reset passwords for affected accounts and implemented enhanced security controls, requiring impacted users to establish new credentials if they had not already done so. PayPal also acknowledged that a “few customers” experienced unauthorized transactions as a result of the incident, though it stated that those customers have since been reimbursed.
The company emphasized that the notification was not delayed due to any law enforcement investigation.
To mitigate potential harm, PayPal is offering two years of complimentary credit monitoring and identity restoration services through Equifax. Affected individuals must enroll by July 31, 2026, using a unique activation code provided in their notification letter.
PayPal also advises customers to closely review account activity and obtain free annual credit reports from Equifax, Experian, and TransUnion through AnnualCreditReport.com. The notice also outlines steps for placing fraud alerts or credit freezes, which can prevent new lines of credit from being opened without explicit authorization.
Given the type of data exposed, attackers may attempt follow-up social engineering campaigns impersonating PayPal or credit bureaus. PayPal reiterated in its notice that it will never request account passwords or one-time authentication codes via phone, email, or text message.
Leave a Reply