PayPal has begun notifying a limited number of business customers about a data breach tied to its PayPal Working Capital (PPWC) loan application. According to breach notification letters, a software error exposed sensitive personal information between July 1 and December 12, 2025. The issue was discovered on December 12, after which PayPal says it reversed the problematic code and blocked unauthorized access.
The exposed data included names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.
While PayPal stated that approximately 100 customers were affected, some experienced unauthorized transactions. The company has since reset impacted passwords, issued refunds where necessary, and is offering two years of complimentary credit monitoring through Equifax.
Why It Matters: Although the number of affected users appears small, the type of data exposed, particularly Social Security numbers and dates of birth, creates long-term identity theft and fraud risks. The incident also adds to a series of security-related events involving PayPal in 2025, raising broader concerns about systemic vulnerabilities and detection timelines.
- Six-Month Exposure Window: The breach reportedly began on July 1, 2025, and continued until December 12, 2025, when PayPal says it identified and addressed the issue. A six-month window of exposure is significant as it provides an extended opportunity for unauthorized individuals to access, collect, or exploit sensitive data before containment measures are implemented.
- Software Error in the PPWC Loan Application: PayPal attributed the incident to a coding error within the PayPal Working Capital loan app rather than a conventional network intrusion. However, official notifications referenced “unauthorized access to PayPal’s systems,” creating some uncertainty about whether the exposure stemmed solely from misconfigured code or if an external actor actively leveraged the flaw.
- Highly Sensitive Data Was Accessible: The information potentially accessed included names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth. The presence of SSNs and birth dates elevates the severity of the incident, as these identifiers can be used for identity theft, fraudulent loan applications, tax fraud, or highly targeted phishing campaigns against small business owners.
- Confirmed Unauthorized Transactions and Account Resets: PayPal acknowledged that a small number of affected users experienced unauthorized transactions tied directly to the breach. The company stated that it refunded impacted customers and reset passwords on affected accounts, requiring users to establish new credentials to regain access.
- Part of a Broader Pattern of 2025 Security Issues: While this breach affected a relatively small number of users, it occurred during a period marked by other PayPal-related security concerns, including leaked credential datasets and phishing schemes abusing PayPal infrastructure. Although separate incidents, the clustering of security events within the same year may intensify scrutiny of PayPal’s overall security posture and incident detection processes.
Go Deeper -> PayPal Data Breach Confirmed—Money Was Stolen, Passwords Now Reset – Forbes
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
