PayPal has begun notifying a small number of customers about a significant cybersecurity incident in which their personally identifiable information (PII) was exposed for nearly six months due to a software error in its PayPal Working Capital (PPWC) loan application.
The exposure, which affected business contact details combined with highly sensitive personal data, lasted from July 1, 2025, to December 13, 2025.
PayPal discovered the issue on December 12, 2025, and immediately rolled back the faulty code change the following day.
According to the official breach notification letters sent to affected users, the compromised information included:
- Name
- Email address
- Phone number
- Business address
- Social Security number (SSN)
- Date of birth
PayPal emphasized that the breach stemmed from an error in the PPWC loan application process, a service designed to provide small businesses with quick financing options based on their PayPal transaction history.
The company stated it has “not delayed this notification as a result of any law enforcement investigation.”PayPal’s Response and Remediation
Upon discovery, PayPal:
- Terminated unauthorized access and rolled back the problematic code.
- Reset passwords for all affected accounts (users will be prompted to create a new password on next login if not already done).
- Issued refunds to the few customers who experienced unauthorized transactions.
- Implemented enhanced security controls.
In addition, PayPal is offering two years of complimentary three-bureau credit monitoring and identity restoration services through Equifax at no cost to affected customers. Enrollment must be completed by June 30, 2026.
What Affected Customers Should DoPayPal urges customers to:
- Review account statements, transaction history, and free credit reports for suspicious activity.
- Enroll in the free Equifax monitoring services (instructions are included in the notification letter).
- Remain vigilant against phishing attempts, PayPal will never ask for passwords, one-time codes, or authentication factors via email, phone, or text.
- Follow general best practices: use unique passwords, enable multi-factor authentication, and avoid clicking suspicious links.
The company added: “We take the security of your information very seriously, and we sincerely regret any inconvenience that this matter has caused you.”Context and Broader Implications
While the number of affected customers has not been publicly disclosed, PayPal described it as “a small number.”
This incident is unrelated to previous PayPal breaches, including the 2022 credential-stuffing attack that impacted approximately 35,000 accounts.
Security experts note that prolonged exposure of SSNs and dates of birth significantly raises the risk of identity theft and fraud, making the two-year credit monitoring offer particularly important.
Customers who received the notification letter should act promptly. For more information, visit PayPal’s Help & Contact section or the Equifax enrollment page referenced in the letter.
PayPal has not yet issued a public press release beyond the customer notifications, and the company did not immediately respond to requests for additional comment.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
