“`html
PayPal has released an official data breach alert revealing that a programming flaw in its PayPal Working Capital (PPWC) loan application compromised the personally identifiable information (PII) of an undisclosed number of clients for around six months, from July 1, 2025, to December 13, 2025.
The organization identified the unauthorized exposure on December 12, 2025, and formally informed impacted customers through a written notice dated February 10, 2026, dispatched from its headquarters in San Jose, California.
The breach was not the result of an external attack, but stemmed from an internal software flaw—specifically, a code modification within the PPWC loan application framework that unintentionally allowed unauthorized entities to access client PII.
PayPal confirmed that the problematic code change has since been reversed and that unauthorized access to its systems has been ceased. The firm also indicated that no law enforcement inquiries hindered the delivery of this notification.
PayPal Data Breach
The types of personal information that may have been exposed during the breach period are extremely sensitive and encompass full name, email address, telephone number, business address, Social Security number (SSN), and date of birth.
The combination of SSNs and birth dates, along with business contact information, creates a high-risk scenario for identity theft, financial fraud, and social engineering schemes targeting those affected.
PayPal acknowledged that a limited number of customers also faced unauthorized transactions on their accounts, and the company has processed refunds for those clients.
After the discovery, PayPal undertook a comprehensive investigation, terminated unauthorized access to systems, and enforced compulsory password resets for all impacted accounts. Strengthened security measures were put in place to require new credentials upon the next sign-in.
As a remedial action, the company offers two years of free three-bureau credit monitoring and identity recovery services via Equifax Complete™ Premier, which includes up to $1,000,000 in coverage for identity theft insurance.
Impacted users must register through Equifax using their provided activation code before the deadline of July 31, 2026.
Affected clients are encouraged to inspect their account transaction history, track their credit reports through annualcreditreport.com, and contemplate placing a fraud alert or credit freeze with all three major bureaus, Equifax, Experian, and TransUnion, at no cost.
PayPal also cautioned users that the company will never solicit account credentials, passwords, or one-time authentication codes via phone, text, or email.
A spokesperson for PayPal mentioned to Cybersecurity News that, “When there is a potential risk of customer information exposure, PayPal is obligated to inform the impacted customers. In this case, PayPal’s systems were not breached. Consequently, we contacted around 100 customers who may have been affected to raise awareness about this issue.”
“`