PayPal has issued a formal data breach notification disclosing that a coding error in its PayPal Working Capital (PPWC) loan application exposed the personally identifiable information (PII) of an undisclosed number of customers for approximately six months, from July 1, 2025, to December 13, 2025.<\/p>\n
The company detected the unauthorized exposure on December 12, 2025, and formally notified affected customers via written disclosure dated February 10, 2026, from its San Jose, California headquarters.<\/p>\n
The breach resulted not from an external intrusion campaign but from an internal software defect, a code change within the PPWC loan application interface that inadvertently permitted unauthorized third parties to access customer PII.<\/p>\n
PayPal confirmed that the responsible code<\/a> change has since been rolled back and that unauthorized access to its systems has been terminated. The company also stated that no law enforcement investigation delayed the issuance of this notification.<\/p>\n The categories of personal information potentially exposed during the breach window are highly sensitive and include full name, email address, phone number, business address, Social Security number (SSN), and date of birth.<\/p>\n The combination of SSNs and date of birth alongside business contact details creates a high-risk profile for identity theft, financial fraud, and social engineering attacks targeting affected individuals.<\/p>\n PayPal noted that a small number of customers also experienced<\/a> unauthorized transactions on their accounts, and the company has issued refunds to those individuals.<\/p>\n Following the discovery, PayPal initiated a full investigation, terminated unauthorized system access, and enforced mandatory password resets for all affected accounts. Enhanced security controls were implemented to require new credentials upon the next login.<\/p>\n As a remediation measure, the company is offering two years of complimentary three-bureau credit monitoring and identity restoration services through Equifax Complete Affected users must enroll via Equifax using their provided activation code before the July 31, 2026, deadline.<\/p>\n Affected customers are urged to review their account transaction history, monitor their credit reports through\u00a0annualcreditreport.com<\/em>, and consider placing a fraud alert or credit freeze with all three major bureaus, Equifax, Experian, and TransUnion, at no cost.<\/span><\/p>\n PayPal also reminded users that the company will never request account credentials, passwords, or one-time authentication codes via call, text, or email.<\/p>\n A spokesperson for PayPal stated to Cybersecurity News that, \u201cWhen there is a potential exposure of customer information, PayPal is obligated to notify the affected customers. In this situation, PayPal\u2019s systems were not compromised. Therefore, we reached out to approximately 100 customers who were potentially impacted to raise awareness about this matter.\u201d<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post PayPal Data Breach Exposes SSNs and Business PII of Customers for Over Six Months<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nPayPal Data Breach<\/strong><\/h2>\n
![\"\u2122\"](\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/2122.png?ssl=1\")
Premier, which includes up to $1,000,000 in identity theft insurance coverage.<\/p>\n