PayPal has disclosed a data breach impacting customers who applied for loans through its PayPal Working Capital (PPWC) platform. According to the company’s formal notification, a coding error exposed sensitive personal and business information for more than six months — from July 1, 2025, to December 13, 2025.
The exposure was identified on December 12, 2025, and affected customers were notified in writing on February 10, 2026, from the company’s headquarters in San Jose, California.
What Caused the Breach?
Unlike many high-profile breaches driven by ransomware or external intrusion campaigns, this incident stemmed from an internal software defect.
A code change within the PPWC loan application interface inadvertently allowed unauthorized third parties to access customer data. Once discovered, the company:
- Rolled back the problematic code
- Terminated unauthorized access
- Conducted a full internal investigation
- Confirmed that no law enforcement request delayed disclosure
This highlights how application-layer misconfigurations and coding errors can pose risks comparable to external cyberattacks.
What Information Was Exposed?
The categories of potentially exposed data are highly sensitive and include:
- Full name
- Email address
- Phone number
- Business address
- Social Security number (SSN)
- Date of birth
The combination of SSNs and dates of birth significantly increases the risk of identity theft, financial fraud, and sophisticated social engineering attacks.
PayPal confirmed that a small number of customers experienced unauthorized account transactions. Impacted individuals have reportedly been refunded.
Remediation and Customer Protection
In response to the breach, PayPal implemented several security measures:
- Mandatory password resets for affected accounts
- Enforced new credential requirements at next login
- Strengthened internal security controls
Additionally, the company is offering two years of complimentary three-bureau credit monitoring and identity restoration services through Equifax Complete™ Premier. The package includes:
- Three-bureau credit monitoring
- Identity restoration support
- Up to $1 million in identity theft insurance
Affected customers must enroll before July 31, 2026, using their activation code.
Recommended Actions for Affected Customers
Customers potentially impacted by the breach should:
- Review account transaction history
- Monitor credit reports via AnnualCreditReport.com
- Consider placing fraud alerts or credit freezes with
- Equifax
- Experian
- TransUnion
PayPal also reminded users that it will never request passwords, account credentials, or one-time authentication codes via phone, text, or email.
Security Implications
This breach underscores a critical reality:
Not all major data exposures stem from sophisticated external attacks.
Sometimes, a single flawed code deployment can create months-long risk exposure.
For financial technology providers and enterprises handling regulated data, this incident reinforces the importance of:
- Secure SDLC (Secure Software Development Lifecycle) practices
- Rigorous code reviews before production deployment
- Continuous access control validation
- Application-layer monitoring for anomalous data exposure
As organizations continue to digitize lending and financial services, maintaining tight control over sensitive identity data remains paramount.
