PayPal is notifying customers of a data breach after a software error in a loan application exposed their sensitive personal information, including Social Security numbers, for nearly 6 months last year.
The incident affected the PayPal Working Capital (PPWC) loan app, which provides small businesses with quick access to financing.
PayPal discovered the breach on December 12, 2025, and determined that customers' names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth had been exposed since July 1, 2025.
The financial technology company said it has reversed the code change that caused the incident, blocking attackers' access to the data one day after discovering the breach.
"On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital ("PPWC") loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025," PayPal said in breach notification letters sent to affected users.
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation."
PayPal also detected unauthorized transactions on the accounts of a small number of customers as a direct result of the incident and has issued refunds to those affected.
The company now offers affected users two years of free three-bureau credit monitoring and identity restoration services through Equifax, which require enrollment by June 30, 2026.
Affected customers are advised to monitor their credit reports and their account activity for suspicious transactions. PayPal reminded users that it never requests account passwords, one-time codes, or other authentication credentials via phone, text, or email, a common tactic used in phishing attacks that often follow data breach disclosures.
PayPal has also reset passwords for all impacted accounts and said that users will be prompted to create new credentials upon their next login if they have not already done so.
In January 2023, PayPal notified customers of another data breach after a large-scale credential stuffing attack compromised 35,000 accounts between December 6 and December 8, 2022.
Two years later, in January 2025, New York State announced a $2,000,000 settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to the 2022 data breach.
Update February 20, 11:38 EST: After the article was published, a PayPal spokesperson told BleepingComputer that the company's systems were not breached and the incident exposed the data of roughly 100 customers.
"When there is a potential exposure of customer information, PayPal is required to notify affected customers," the spokesperson said. "In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”
The future of IT infrastructure is here
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.