Global payments giant PayPal has confirmed a data exposure incident that left sensitive customer information vulnerable for nearly six months. The company revealed that a software coding error rather than a direct external hack allowed unauthorized parties to view personal data and, in several instances, successfully siphon funds from user accounts.
The breach, which was disclosed in February 2026 via formal notification letters to affected users, primarily impacted customers of the PayPal Working Capital (PPWC) program, a service tailored for small businesses and entrepreneurs.
The Anatomy of the Error
According to company disclosures, the vulnerability was introduced on July 1, 2025, during a routine code change to the PPWC loan application interface. This "glitch" effectively left a digital back door open, allowing unauthorized individuals to view and scrape highly sensitive Personally Identifiable Information (PII).
The exposure remained active and undetected for 165 days until PayPal security teams identified the anomaly on December 12, 2025. The company stated it took immediate action to "roll back" the faulty code and terminate unauthorized access by the following day.
What Was Stolen?
While PayPal has downplayed the scale of the incident, stating that only approximately 100 customers were directly affected, the depth of the data exposed has sparked significant concern among cybersecurity experts. The compromised data includes:
Full names and business addresses
Email addresses and phone numbers
Social Security numbers (SSNs)
Dates of birth
More critically, PayPal confirmed that "a few" of these affected accounts saw unauthorized transactions, meaning bad actors were able to successfully move money out of the accounts before the breach was closed. PayPal has since stated that it has fully refunded all customers who suffered financial losses due to this specific incident.
Corporate Response and Remediation
In a statement to news outlets, a PayPal spokesperson emphasized that the company's "core systems" were not compromised or breached by a malicious actor’s bypass of firewalls. Instead, the incident is being characterized as an internal technical failure that inadvertently made private data public.
"When there is a potential exposure of customer information, PayPal is required to notify affected customers," the spokesperson said. "In this case, PayPal's systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness."
Despite the small number of victims, PayPal is taking significant remedial steps, including:
Mandatory Password Resets: All affected users have had their passwords forcibly reset and must create new credentials upon their next login.
Credit Monitoring: Impacted individuals are being offered two years of free three-bureau credit monitoring and identity restoration services through Equifax.
Enhanced Security: The company claims to have implemented "enhanced security controls" to prevent similar coding errors from reaching production environments in the future.
A Pattern of Vulnerability?
This incident comes at a sensitive time for the fintech leader. Just last year, New York State reached a $2 million settlement with PayPal over a separate 2022 credential-stuffing attack that compromised 35,000 accounts. Critics argue that the six-month delay between the start of the 2025 exposure and its eventual discovery points to ongoing gaps in the company’s real-time monitoring of its business-facing applications.
Security analysts warn that even though only 100 people were affected, the combination of SSNs and business details makes these individuals prime targets for "synthetic identity fraud" and highly targeted phishing campaigns in the coming months.
Recommendations for Users
While the current breach appears contained to the PPWC platform, security experts recommend that all PayPal users take the following precautions:
Enable Two-Factor Authentication (2FA): Use an authenticator app rather than SMS for better security.
Monitor Statements: Review your transaction history for any small "test" charges you don't recognize.
Be Phishing Aware: PayPal reminded users that it will never ask for passwords or one-time codes via text, phone call, or email.
The company has urged affected customers to enroll in the provided credit monitoring service before the June 30, 2026 deadline.