PayPal's Silent Data Leak: 100 Users' Info Exposed for 6 Months by Faulty Code
A software error in PayPal's loan app left 100 small business owners' Social Security numbers and personal data exposed for six months—until the company finally rolled back the faulty code.
PayPal notified customers of a data breach in its PayPal Working Capital loan app, exposing names, SSNs, and business addresses from July 1, 2025, to December 13, 2025. The company claims its systems were not compromised but acknowledges the error originated from a code change that was later rolled back.
"PayPal has since rolled back the code change responsible for this error, which potentially exposed the PII. We have not delayed this notification as a result of any law enforcement investigation," the company stated.
Affected users received two years of free credit monitoring through Equifax and were advised to watch for phishing attempts. Passwords for impacted accounts were also reset.
PayPal's spokesperson clarified in a February 2026 update: "PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter." The breach follows a 2022 credential-stuffing attack and a $2 million New York settlement over cybersecurity failures.
Unauthorized transactions affected a small number of accounts, with refunds issued. The incident highlights the challenges of defining data exposure in breach disclosures—what PayPal calls a "potential" exposure, users now face as a tangible risk to their financial security.
