The fintech giant has officially broken its silence on a high stakes security lapse that left the Social Security Numbers (SSNs) and sensitive personal data of small business owners exposed for nearly six months. Unlike the high-profile external hacks that typically dominate headlines, this breach was an "inside job"triggered not by a malicious actor, but by a single software coding error.
Timeline of the "Silent" Exposure
The leak originated within the PayPal Working Capital (PPWC) platform, a service designed to provide quick loans to entrepreneurs. The "ghost" entered the system during a routine code update and remained active through the latter half of 2025:
- July 1, 2025: A code modification is pushed to the PPWC application, inadvertently creating a back door to customer Personally Identifiable Information (PII).
- December 12, 2025: PayPal security teams finally identify the anomaly.
- December 13, 2025: The faulty code is rolled back, terminating unauthorized access.
- February 10, 2026: PayPal begins issuing formal notification letters to the affected users.
The Anatomy of the Leak
While the total number of impacted individuals is relatively small estimated at approximately 100 customers—the depth of the exposure is profound. Because the glitch lived within a loan application system, the data available was far more sensitive than a standard retail login.
Exposed Data Points Included:
- Full Names and Business Addresses
- Email Addresses and Phone Numbers
- Dates of Birth
- Social Security Numbers (SSNs)
"The duration is the most alarming factor here," says one cybersecurity researcher. "A 165-day window for SSN exposure is an eternity in the world of identity theft. Once that data is scraped, it doesn't matter that the 'glitch' was fixed—the information is already in the wild."
Unauthorized Transactions Detected
The exposure wasn't just theoretical. PayPal confirmed that a subset of the affected accounts saw unauthorized transactions directly linked to the leak. While the company has since refunded these charges and forced password resets for all compromised accounts, the incident serves as a stark reminder of the risks inherent in automated lending platforms.
Redemption or Repetition?
This disclosure comes just over a year after PayPal paid a $2 million settlement to New York State for failing to maintain adequate cybersecurity standards following a 2022 credential-stuffing attack.
While PayPal maintains that its "core systems were not compromised," critics argue that for the victim, the distinction between a "system breach" and a "software error" is irrelevant when their Social Security Number is the price of the mistake.
The "Hacklido" Security Checklist
If you or your business uses PayPal Working Capital, take these steps immediately:
- Enroll in Credit Monitoring: PayPal is offering 2 years of free Equifax Complete Premier monitoring. Enrollment is required by June 30, 2026.
- Audit Your Ledger: Review all PPWC transactions from July 2025 to the present.
Place a Credit Freeze: Since SSNs were involved, a freeze on your credit reports with Equifax, Experian, and TransUnion is the strongest defense against identity theft.
Stay ahead. Stay dangerous.
Team Hacklido ❤️
Join our Community – https://t.me/hacklido
