PayPal confirms data breach — user info may have been exposed for 6 months, here's what we know so far

News
By published

A bug in the code of a PayPal app exposed PII for numerous people

PayPal Debit card
(Image credit: PayPal)
  • PayPal bug in loan app exposed sensitive customer data for five months
  • Some accounts saw unauthorized transactions; victims reimbursed and passwords reset
  • PayPal offers two years of free credit monitoring via Equifa

An error in coding of a PayPal app left some customers’ data exposed and even resulted in a few fraudulent transactions, the ecommerce company has confirmed.

PayPal recently notified a subset of its customers that it identified a bug in its PayPal Working Capital (PPWC) loan application, which works as a business financing product, giving eligible businesses a cash advance, based on their PayPal sales history.

Discovered on December 12, 2025, the bug was leaking sensitive data for more than five months, between July 1, 2025, and December 13, 2025, including user names, email addresses, phone numbers, business addresses, Social Security numbers (SSN), and dates of birth.

Unauthorized transactions

This is a potent mix of data that can easily be leveraged in a phishing email, tricking users into giving away their login credentials and thus access to funds, as well.

To make matters worse, it seems that the bug itself also granted malicious actors access to other people’s funds. In the warning email, PayPal said that “a few customers experienced unauthorized transactions on their account.”

We don’t know how many “a few” actually are, but PayPal stressed that the unauthorized access was revoked, and victims reimbursed. It also said that all victims had their passwords reset, and that the change in code responsible for the intrusion was rolled back.

“We have not delayed this notification as a result of any law enforcement investigation,” PayPal added.

The company also understands the potency of personally identifiable data (PII), which is why it is offering two years of complimentary credit monitoring and identity restoration services through Equifax. This is, more or less, standard practice in incidents such as this one.

Finally, the company urged all customers to remain vigilant of incoming emails, and to be extra careful when clicking on links or downloading attachments.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.