A software coding error — not a hacker — is behind PayPal's latest data breach disclosure. The company began sending formal breach notification letters on February 10, 2026, informing customers that a bug in its PayPal Working Capital (PPWC) loan application exposed sensitive personal data to unauthorised individuals for more than five months before anyone caught it.
According to the breach notification letter reviewed by Cyber Kendra, PayPal identified the issue on December 12, 2025. The faulty code had been live since July 1, 2025 — meaning the exposure window stretched across 165 days. PayPal rolled back the responsible code change the following day, December 13.
A PayPal spokesperson noted, "PayPal's systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter."
What Data Was Exposed
The breach notification confirms that the exposed information could include a customer's name, email address, phone number, business address, Social Security number (SSN), and date of birth — all tied to their PPWC loan application profile. That combination is particularly dangerous: SSNs and dates of birth together are enough for identity thieves to open fraudulent credit lines, file fake tax returns, or impersonate someone to financial institutions.
PayPal confirmed that a "few customers" experienced unauthorised transactions on their accounts and that refunds have been issued to those individuals. Passwords for affected accounts were reset, and enhanced security controls are now in place, requiring a new password on the next login.
This is not the first time PayPal customers have faced this kind of exposure. In January 2023, PayPal disclosed a large-scale credential stuffing attack (where attackers use stolen username and password combinations from other breaches to break into accounts) that compromised nearly 35,000 accounts between December 6 and December 8, 2022. The exposed data in that incident included names, dates of birth, postal addresses, SSNs, and tax identification numbers.
That breach carried regulatory consequences. In January 2025, the New York State Department of Financial Services (NYDFS) announced a $2 million settlement with PayPal, citing the company's failure to use qualified cybersecurity personnel, provide adequate staff training, and enforce multi-factor authentication (MFA) — all of which contributed to the 2022 attack succeeding.
PayPal's security track record stretches back further still. Cyber Kendra previously reported how researchers from Duo Security discovered a critical flaw that allowed bypassing PayPal's two-factor authentication entirely through the PayPal API — a vulnerability that impacted PayPal's official mobile apps as well as third-party merchant integrations.
PayPal is offering two years of complimentary three-bureau credit monitoring through Equifax Complete Premier, which includes up to $1,000,000 in identity theft insurance coverage, WebScan monitoring for SSNs on fraudulent internet trading sites, and access to a dedicated Identity Restoration Specialist. To enrol, visit equifax.com/activate before the June 30, 2026, deadline listed in the notification letter.
If you received a breach notification letter, act on it. Unlike a stolen password, a compromised SSN cannot be changed.