PayPal has disclosed a data breach that exposed some of its customers’ personal information and led to fraudulent transactions.
The company said it happed due to an error in its PayPal Working Capital (“PPWC”) loan application, an offering that gives businesses a cash advance based on their PayPal sales history.
Between 1 July and 13 December 2025, the PII of a small number of customers was exposed to bad actors. PayPal added that it has since rolled back the code change responsible for this error.
Types of data exposed include, full names, email addresses, phone numbers, mailing addresses, dates of birth, and SSNs. PayPal insisted that no financial account information, login credentials, passwords, and credit card or bank account numbers were accessed or exposed.
“Upon learning about this unauthorized activity, we began an investigation and terminated the unauthorized access to PayPal’s systems. We reset the passwords of the affected PayPal accounts and implemented enhanced security controls that will require you to establish a new password the next time you log in to your account if you have not already done so. A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers,” the company added.
PayPal is in the process of notifying affected individuals and has taken steps to contain the incident and emphasized that it has implemented additional monitoring and security enhancements as part of its response.
More Robust SDLC Needed
Noelle Murata, Sr. Security Engineer at Xcape Inc, said: “PayPal’s Working Capital glitch serves as a prime example of how a subtle logic error can be as impactful as a high-profile hack, with customer data remaining exposed for nearly six months undetected. Although the exposure seems minor, the severity of the information led to fraudulent transactions and highlights the need for key industries to follow fundamental application security practices.
She added that for financial platforms, security must encompass more than just transaction protection; it needs to extend to all associated products and processes handling customer data. “While improved monitoring is crucial, preventing such incidents necessitates more robust secure development lifecycle controls (SDLC).
“Customers impacted should view this as an identity theft risk, not just a minor account problem. Enrol in the provided credit monitoring, secure credit files where possible, and exercise extreme caution with any “PayPal” communications referencing their business or loan history. Apparently, a six-month undetected coding error that leaks your Social Security Number is just a feature, not a bug.”
Contradictory Messaging
Denis Calderone CRO & COO at Suzu Labs, said: “PayPal told the media their ‘systems were not compromised,’ but the breach notification letter they filed with Massachusetts says they ‘terminated the unauthorized access to PayPal’s systems.’ Those two statements can’t both be true. Either someone accessed your systems without authorization, or they didn’t. It might be just a poorly worded press release, but words are important. You don’t get to tell regulators one thing and the press another.”
According to him, this kind of contradictory messaging erodes the trust that breach notifications are supposed to rebuild. “When a company gets caught playing word games with incident disclosures, it makes you question what else is being minimized. Is the record count correct, and was the exposure really limited to the data types they listed? We can’t verify any of that independently, so we’re relying on the company’s transparency.”
Calderone added that what they have disclosed is bad enough: SSNs, dates of birth, and names exposed for nearly six months before anyone noticed, with some customers hit by fraudulent transactions. “But the bigger issue here is accountability in disclosure. Say what happened. Say it consistently. And say it quickly.”
Small Internal Failures
Simon Pamplin, CTO of Certes, added that this latest incident highlights a recurring issue in cybersecurity: breaches are not always the result of sophisticated external attacks, but of small internal failures that expose highly sensitive data for extended periods of time.
“What is particularly concerning here is the duration. Five months is a significant window in which personal and financial identifiers including Social Security numbers and dates of birth may have been accessible. Once that data is copied, the risk does not disappear when the bug is fixed or passwords are reset. It persists.”
Pamplin stated that the immediate concern is fraud and phishing, which we are already seeing in the form of unauthorised transactions. “But the longer-term risk is often overlooked. Criminal groups increasingly operate on a harvest now, decrypt later model, quietly collecting encrypted or protected data today with the expectation that advances in computing power, including quantum capability, will allow them to unlock it in the future.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.