Digital payments giant PayPal has disclosed a data security incident that exposed sensitive customer information for nearly six months. The issue stemmed from a software error within its small business lending platform, raising renewed concerns about data governance, financial technology security, and regulatory compliance.
Software Error Behind Prolonged Data Exposure
According to PayPal, the incident involved its PayPal Working Capital (PPWC) loan application. The company identified the problem on December 12, 2025, after discovering that a coding change had unintentionally exposed personally identifiable information, PII, to unauthorized individuals.
The affected data reportedly included:
- Full names
- Email addresses
- Phone numbers
- Business addresses
- Social Security numbers
- Dates of birth
PayPal stated that the exposure window extended from July 1, 2025, until December 13, 2025. Within one day of detection, the company reversed the problematic code change to block further access.
In notification letters sent to impacted users, PayPal confirmed that the exposure was not delayed due to any ongoing law enforcement investigation.
Limited Scope, Company Says
Following public reporting, a spokesperson clarified that the company’s core systems were not compromised. Instead, the issue was attributed to an internal application error. The spokesperson stated that approximately 100 customers were potentially affected.
PayPal emphasized that when there is any possibility of data exposure, regulatory obligations require customer notification, even if a broader system breach did not occur.
Financial Impact and Customer Support
The company also detected unauthorized transactions affecting a small number of impacted accounts. Refunds were issued to those customers.
To mitigate identity theft risks, PayPal is offering two years of complimentary three-bureau credit monitoring and identity restoration services through Equifax. Eligible users must enroll before June 30, 2026.
Additionally, all affected accounts have had their passwords reset. Customers who have not yet updated their credentials will be prompted to create new login details during their next sign-in.
PayPal reminded users that it never requests passwords, one-time authentication codes, or other sensitive verification data through phone calls, text messages, or email communications. This warning is particularly relevant because phishing campaigns often surge after breach disclosures.
Previous Security Incidents
This is not the first cybersecurity event involving the financial technology firm. In January 2023, PayPal informed customers of a credential stuffing attack that compromised approximately 35,000 accounts in December 2022.
Two years later, in January 2025, New York State announced a $2 million settlement with PayPal, citing alleged failures to meet cybersecurity regulatory requirements linked to the earlier breach.
Broader Cybersecurity Lessons
Even when core systems remain intact, application-level coding errors can create significant data exposure risks. The incident highlights the importance of secure software development practices, rigorous code review processes, continuous monitoring, and strong access controls in financial technology platforms.
For users, the case reinforces the need to monitor credit activity, review financial statements regularly, and remain alert to phishing attempts that exploit public breach announcements.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
