PayPal has informed customers about a data exposure incident caused by a software error in its loan application platform, which left sensitive personal information visible for nearly six months in 2025.
The issue involved the company’s PayPal Working Capital (PPWC) loan application, a service designed to provide small businesses with fast financing solutions.
According to PayPal, the problem was identified on December 12, 2025. An internal review revealed that customer information — including names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth — had been accessible since July 1, 2025.
The company stated it corrected the coding error within a day of detection, preventing further unauthorized access.
In breach notification letters sent to affected individuals, PayPal said: "On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital ("PPWC") loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025," PayPal said in breach notification letters sent to affected users."PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."
The company confirmed that a limited number of users experienced unauthorized account transactions connected to the exposure. Those customers have been reimbursed.
To support impacted individuals, PayPal is offering two years of complimentary three-bureau credit monitoring and identity restoration services through Equifax. Customers must enroll by June 30, 2026, to receive the benefits.
Users are encouraged to closely monitor account activity and credit reports for unusual behavior. PayPal reiterated that it does not request passwords, one-time passcodes, or authentication details via phone calls, text messages, or emails — warning customers to remain cautious of phishing attempts that often follow breach disclosures.
Additionally, passwords for affected accounts have been reset. Customers who have not already updated their credentials will be required to do so at their next login.
This is not the first security-related incident involving the fintech firm. In January 2023, PayPal disclosed a credential stuffing attack that compromised approximately 35,000 accounts between December 6 and December 8, 2022. In January 2025, the State of New York announced a $2 million settlement with the company over allegations that it failed to meet state cybersecurity compliance standards tied to the 2022 breach.
Following publication of the report, a PayPal spokesperson clarified the scope of the incident in a statement to BleepingComputer, emphasizing that core systems were not breached and that roughly 100 customers were potentially affected.
"When there is a potential exposure of customer information, PayPal is required to notify affected customers," the spokesperson said. "In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”
