PayPal discloses data breach that exposed 6 months of user information

Last year, PayPal notified customers of a data breach after a software error during loan applications exposed nearly six months of sensitive personal information, including Social Security numbers.

This incident affected PayPal working capital (PPWC) Loan app. Provide small businesses with quick access to financing.

PayPal discovered the breach on December 12, 2025, and determined that customer names, email addresses, phone numbers, work addresses, social security numbers, and dates of birth were exposed after July 1, 2025.

The financial technology company announced it had reverted the code changes that caused the incident and blocked the attackers from accessing their data one day after the breach was discovered.

“On December 12, 2025, PayPal confirmed that an error in a PayPal Working Capital (“PPWC”) loan application exposed PII of a small number of customers to unauthorized individuals between July 1, 2025 and December 13, 2025. ” stated in the violation notice. Sent to affected users.

“PayPal has since rolled back the code change that caused this error that could have exposed PII. We did not delay this notification as a result of any law enforcement investigation.”

PayPal also detected fraudulent transactions in a small number of customer accounts as a direct result of this incident and has issued refunds to affected customers.

The company is currently offering affected users two years of free three-bureau credit monitoring and identity restoration services through Equifax, which require registration by June 30, 2026.

We encourage affected customers to monitor their credit reports and account activity for suspicious transactions. PayPal reminded users that it will never request account passwords, one-time codes, or other authentication credentials via phone, text, or email. This is a common tactic often used in phishing attacks following the disclosure of a data breach.

PayPal also said it will reset passwords for all affected accounts and if users have not yet created new credentials, they will be prompted to create new credentials the next time they log in.

In January 2023, PayPal notified customers of a new data breach after 35,000 accounts were compromised in a large-scale credential stuffing attack between December 6, 2022 and December 8, 2022.

Two years later, in January 2025, the state of New York announced it would pay a $2 million settlement with PayPal for failing to comply with the state’s cybersecurity regulations, leading to a data breach in 2022.

Updated February 20th 11:38 (EST): After the article was published, a PayPal spokesperson told BleepingComputer that the company’s systems were not compromised and that the data of approximately 100 customers was exposed as a result of the incident.

“If customer information may be compromised, PayPal is obligated to notify affected customers,” the spokesperson said. “In this case, PayPal’s systems were not compromised, so we contacted approximately 100 potentially affected customers to alert them to this issue.”


Modern IT infrastructures are changing faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated responses, and build and scale intelligent workflows based on the tools you already use.

Trending World
By Satish Kumar

Latest Update

© yojanasewa.com