PayPal Data Breach: Info May have been Exposed for 6 months
An error in coding of a PayPal app left some customers’ data exposed and even resulted in a few fraudulent transactions, the ecommerce company has confirmed. PayPal recently notified a subset of its customers that it identified a bug in its PayPal Working Capital (PPWC) loan application, which works as a business financing product, giving eligible businesses a cash advance, based on their PayPal sales history.
Discovered on December 12, 2025, the bug was leaking sensitive data for more than five months, between July 1, 2025, and December 13, 2025, including user names, email addresses, phone numbers, business addresses, Social Security numbers (SSN), and dates of birth.
This is a potent mix of data that can easily be leveraged in a phishing email, tricking users into giving away their login credentials and thus access to funds, as well.
The incident affected the PayPal Working Capital (PPWC) loan app, which provides small businesses with quick access to financing.
To make matters worse, it seems that the bug itself also granted malicious actors access to other people’s funds. In the warning email, PayPal said that “a few customers experienced unauthorized transactions on their account.”
We don’t know how many “a few” actually are, but PayPal stressed that the unauthorized access was revoked, and victims reimbursed. It also said that all victims had their passwords reset, and that the change in code responsible for the intrusion was rolled back.
“We have not delayed this notification as a result of any law enforcement investigation,” PayPal added.
The company also understands the potency of personally identifiable data (PII), which is why it is offering two years of complimentary credit monitoring and identity restoration services through Equifax. This is, more or less, standard practice in incidents such as this one. However, it stressed that its systems were not compromised:
“When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised,” a company spokesperson told TechRadar Pro.
As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”
Finally, the company urged all customers to remain vigilant of incoming emails, and to be extra careful when clicking on links or downloading attachments.