Pierluigi Paganini February 20, 2026

PayPal disclosed a six-month data breach that exposed sensitive user data, including Social Security numbers, due to a software error.

PayPal has disclosed a data breach caused by a software bug in its PayPal Working Capital loan app. The flaw exposed sensitive customer information, including customers’ business contact details (name, email, phone number, address), along with Social Security numbers and dates of birth, since July 1, 2025, before it was discovered and fixed.

On December 12, 2025, PayPal discovered that a coding error in its PayPal Working Capital loan application had exposed the personal information of a small number of customers to unauthorized parties between July 1 and December 13, 2025. The company has since addressed the issue and said the notification was not delayed due to any law enforcement investigation.

“On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loanapplication, the PII of a small number of customers was exposed to unauthorized individuals during thetimeframe of July 1, 2025 to December 13, 2025. PayPal has since rolled back the code change responsiblefor this error, which potentially exposed the PII.” reads the data breach notification. “We have not delayed this notification as a result of any law enforcement investigation”

After detecting the unauthorized access, the company launched an investigation, blocked the intrusion, and reset affected passwords. PayPal also announced the implementation of stronger security checks. The company confirmed that a small number of customers observed unauthorized transactions, which have already been refunded.

The company also offers impacted users two years of complimentary credit monitoring and identity restoration services through Equifax.

Affected users should closely monitor their accounts, transaction history, and free credit reports for suspicious activity and report any fraud immediately. Customers are also encouraged to enroll in complimentary three-bureau credit monitoring through Equifax by June 30, 2026. The company advises reviewing guidance on fraud alerts, free credit reports, and FTC resources to better protect personal information.

In January 2023, PayPal announced that 34942 customers’ accounts had been compromised between December 6 and December 8, 2022. The company added that the unauthorized access was the result of credential stuffing attacks and that its systems were not breached.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)