PayPal Data Exposure: Six Months of User Information Leaked Online

Software Error in Business Loan Application

PayPal has notified a small group of customers about a cybersecurity incident that exposed personal data for almost six months. The issue was traced to a software error in its PayPal Working Capital (PPWC) loan application system, which provides funding to small businesses based on their PayPal sales history.

The exposure occurred between July 1, 2025, and December 13, 2025. PayPal detected the issue on December 12 and reversed the faulty code the following day.

The affected data included:

• Name
• Email address
• Phone number
• Business address
• Social Security number (SSN)
• Date of birth

Because SSNs and birth dates were involved, the risk of identity theft and fraud is significantly higher. PayPal stated that the notification was not delayed due to any law enforcement investigation.

Company Response and Customer Guidance

After discovering the issue, PayPal removed unauthorized access, fixed the code error, and strengthened internal security controls. Passwords for affected accounts were reset, and customers will be prompted to create new ones if they have not already done so. Refunds were issued to the few users who reported unauthorized transactions.

The company is offering two years of free three-bureau credit monitoring and identity restoration services through Equifax. Affected customers must enroll by June 30, 2026.

PayPal advises impacted users to review account activity and credit reports carefully, enroll in the credit monitoring service, and stay alert for phishing attempts. The company reminds customers it will never request passwords, one-time codes, or authentication details via email, phone, or text. Using strong, unique passwords and enabling multi-factor authentication are strongly recommended.

Although PayPal described the number of affected customers as small, prolonged exposure of Social Security numbers and dates of birth presents serious identity fraud risks. The company has not released further public details beyond direct notifications to affected users.