Financial technology giant PayPal has officially disclosed a data breach that left the sensitive personal information of a subset of its users exposed for nearly six months. The incident, which primarily affected the PayPal Working Capital (PPWC) platform, has raised fresh concerns regarding application-layer security and the handling of highly sensitive data like Social Security Numbers (SSNs).


The Incident: What Happened?

The exposure was not the result of a direct "hack" or a breach of PayPal’s core payment infrastructure. Instead, the company attributed the leak to a software coding error introduced during a code modification on July 1, 2025.

This error inadvertently allowed unauthorized individuals to access the personal identifiable information (PII) of customers applying for short-term business financing through the PPWC app. The vulnerability remained active and undetected until December 12, 2025, creating a 165-day window of exposure.

Data at Risk

While PayPal emphasized that the scope of the incident was limited to approximately 100 customers, the nature of the data involved is critical. Exposed information included:

  • Full names and business addresses
  • Email addresses and phone numbers
  • Dates of Birth
  • Social Security Numbers (SSNs)

"The sensitivity of this data specifically SSNs and birth dates significantly heightens the risk of identity theft and sophisticated social engineering attacks targeting small business owners," security analysts noted.

Unauthorized Transactions and Remediation

PayPal confirmed that a small number of the impacted accounts experienced unauthorized transactions as a direct result of the exposure. The company has since:

  1. Rolled back the faulty code on December 13, 2025, to terminate unauthorized access.
  2. Refunded all fraudulent charges to affected users.
  3. Reset account passwords for all individuals identified in the breach.
  4. Offered 2 years of free credit monitoring and identity restoration services through Equifax (enrollment required by June 30, 2026).


A Pattern of Security Challenges?

This disclosure follows a string of regulatory and security hurdles for the payment processor. In January 2025, PayPal reached a $2 million settlement with the New York State Department of Financial Services over a 2022 credential-stuffing attack that compromised 35,000 accounts.

While the current breach is much smaller in scale, the duration of the exposure six months highlights a critical gap in detection capabilities for application-level vulnerabilities.

Recommendations for Users

Though the breach was confined to a small group, all PayPal users are encouraged to:

  • Enable Multi-Factor Authentication (MFA) to provide an extra layer of defense against account takeovers.
  • Monitor Credit Reports: Regularly check for unauthorized accounts or inquiries.

Be Phishing Aware: PayPal reminds users that it will never ask for passwords or one-time codes via email, text, or phone.

Stay ahead. Stay dangerous.

Team Hacklido ❤️

Join our Community – https://t.me/hacklido