PayPal has confirmed a data breach that exposed sensitive personal information of customers who used its PayPal Working Capital loan application. The unauthorized access lasted from July 1 to December 12, 2025, before the company identified and addressed the issue.
The incident affected a relatively small number of users (approximately 100, according to a company spokesperson) but the nature of the compromised data has raised concerns. PayPal has reset passwords for impacted accounts and confirmed that affected customers have been refunded for any unauthorized transactions.
Software error exposed personal data for nearly six months
The breach stemmed from what PayPal described as a coding error within its PayPal Working Capital (PPWC) loan application. According to a breach notification letter cited by multiple outlets, unauthorized individuals were able to access customer information between July 1 and December 12, 2025. The company said it rolled back the code change responsible for the exposure on December 13, effectively terminating the unauthorized access.
The compromised information included names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth. This combination of business contact details and sensitive identity data was exposed for approximately 165 days.
PayPal stated that it discovered the incident on December 12, 2025, and began notifying affected customers through letters dated February 10, 2026. The company emphasized that the notification was not delayed due to any law enforcement investigation.
In a statement reported by Forbes, a PayPal spokesperson said, “When there is a potential exposure of customer information, PayPal is required to notify affected customers. In this case, PayPal’s systems were not compromised.” The spokesperson added that the company contacted “approximately 100 customers who were potentially impacted” to raise awareness of the matter.
Refunds issued and security measures reinforced
A small subset of affected customers reported unauthorized transactions on their accounts. PayPal confirmed that it has refunded those customers and reset passwords for all impacted accounts. Users may be prompted to create new credentials upon logging in.
According to Forbes, the company has also terminated the attacker’s access and implemented additional security checks following the discovery of the breach. The company is offering two years of complimentary credit monitoring and identity restoration services through Equifax to affected customers. Enrollment is required by June 30, 2026.
The monitoring package includes three-bureau credit monitoring, daily access to Equifax credit reports, dark web alerts for Social Security and financial account numbers, and identity theft insurance coverage.
The provider reiterated that it will never request account passwords, one-time codes, or authentication credentials via phone, text, or email. The company has advised users to review account statements and transaction histories carefully and to remain vigilant for suspicious activity.
While the breach impacted a limited number of customers, it follows previous security incidents involving the company. In January 2023, PayPal disclosed that 34,942 accounts had been accessed through credential stuffing attacks, though at that time it said its systems were not breached.
