it

PayPal discloses data breach that exposed user info for 6 months

Published: (February 20, 2026 at 08:12 AM EST)
2 min read
Source: Bleeping Computer

Source: Bleeping Computer

Breach Overview

PayPal is notifying customers of a data breach after a software error in a loan application exposed their sensitive personal information, including Social Security numbers, for nearly six months last year. The incident affected the PayPal Working Capital (PPWC) loan app, which provides small businesses with quick access to financing.

PayPal discovered the breach on December 12, 2025 and determined that customers’ names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth had been exposed since July 1, 2025.

“On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025,” PayPal said in breach notification letters sent to affected users.
Breach notification letters (DocumentCloud)

PayPal reversed the code change that caused the incident, blocking attackers’ access to the data one day after discovering the breach.

Response and Mitigation

  • The company has rolled back the faulty code and reset passwords for all impacted accounts. Users will be prompted to create new credentials upon their next login if they have not already done so.
  • Unauthorized transactions detected on a small number of accounts have been refunded.
  • Affected users are offered two years of free three‑bureau credit monitoring and identity restoration services through Equifax, with enrollment required by June 30, 2026.
  • PayPal advises customers to monitor their credit reports and account activity for suspicious transactions and reminds them that the company never requests passwords, one‑time codes, or other authentication credentials via phone, text, or email.

Previous Incidents

  • January 2023: PayPal notified customers of another breach after a large‑scale credential‑stuffing attack that compromised 35,000 accounts between December 6–8, 2022.
    – Details: BleepingComputer article

  • January 2025: New York State announced a $2,000,000 settlement with PayPal over charges that the company failed to comply with the state’s cybersecurity regulations, which were linked to the 2022 data breach.
    – Details: BleepingComputer article

0 views
#PayPal #data breach #cybersecurity #personal data exposure #social security number #financial services #loan application
View source
Share:
Back to Blog

Related posts

Read more »