PayPal has notified customers of a data breach linked to a software error in its PayPal Working Capital (PPWC) loan application, a product that provides financing for small businesses.
The company said the issue was discovered on December 12, 2025. According to PayPal, personally identifiable information (PII) was exposed to unauthorized individuals between July 1, 2025, and December 13, 2025.
In breach notification letters sent to affected users, PayPal stated, “On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025, to December 13, 2025.”
The exposed data included names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth. The company explained that the problem was caused by faulty code in the PPWC application.
PayPal said it rolled back the faulty code and blocked unauthorized access within a day of discovering the issue. It also identified unauthorized transactions on some accounts connected to the incident and issued refunds to affected customers.
To support those impacted, PayPal is offering two years of free credit monitoring and identity restoration services through Equifax. Enrollment for this service is open until June 30, 2026. The company advised customers to monitor their credit reports and account activity for any unusual transactions.
In addition, PayPal reset passwords for affected users and said they would be prompted to create new login credentials if they had not already done so. The company also reminded users that it does not request sensitive information such as passwords or one-time codes through phone calls, text messages, or email, noting that such requests are common in phishing attempts.
The latest breach follows a previous incident involving a credential stuffing attack that affected about 35,000 accounts between December 6 and December 8, 2022. In January 2025, New York State reached a $2 million settlement with PayPal over alleged failures to comply with state cybersecurity regulations related to that breach.
In a follow-up clarification, a PayPal spokesperson said the company’s broader systems were not compromised and that the recent incident affected about 100 customers.
“When there is a potential exposure of customer information, PayPal is required to notify affected customers,” the spokesperson noted. “In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”
