PayPal Data Breach Exposes SSNs and Business PII of Customers for Over Six Months

PayPal has issued a formal data breach notification disclosing that a coding error in its PayPal Working Capital (PPWC) loan application exposed the personally identifiable information (PII) of an undisclosed number of customers for approximately six months, from July 1, 2025, to December 13, 2025.

The company detected the unauthorized exposure on December 12, 2025, and formally notified affected customers via written disclosure dated February 10, 2026, from its San Jose, California headquarters.

The breach resulted not from an external intrusion campaign but from an internal software defect, a code change within the PPWC loan application interface that inadvertently permitted unauthorized third parties to access customer PII.

PayPal confirmed that the responsible code change has since been rolled back and that unauthorized access to its systems has been terminated. The company also stated that no law enforcement investigation delayed the issuance of this notification.

The categories of personal information potentially exposed during the breach window are highly sensitive and include full name, email address, phone number, business address, Social Security number (SSN), and date of birth.

The combination of SSNs and date of birth alongside business contact details creates a high-risk profile for identity theft, financial fraud, and social engineering attacks targeting affected individuals.

PayPal noted that a small number of customers also experienced unauthorized transactions on their accounts, and the company has issued refunds to those individuals.

Following the discovery, PayPal initiated a full investigation, terminated unauthorized system access, and enforced mandatory password resets for all affected accounts. Enhanced security controls were implemented to require new credentials upon the next login.

As a remediation measure, the company is offering two years of complimentary three-bureau credit monitoring and identity restoration services through Equifax Complete™ Premier, which includes up to $1,000,000 in identity theft insurance coverage.

Affected users must enroll via Equifax using their provided activation code before the July 31, 2026, deadline.

Affected customers are urged to review their account transaction history, monitor their credit reports through annualcreditreport.com, and consider placing a fraud alert or credit freeze with all three major bureaus, Equifax, Experian, and TransUnion, at no cost.

PayPal also reminded users that the company will never request account credentials, passwords, or one-time authentication codes via call, text, or email.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.