PayPal Working Capital Bug Exposed Customer SSNs and PII for Six Months

PayPal disclosed a data exposure affecting approximately 100 customers of its Working Capital loan application. A software coding error from July 1 to December 13, 2025, made sensitive PII visible to unauthorized parties. The company found and fixed the issue on December 12, 2025, and sent notifications dated February 10, 2026, from San Jose, California.

No external hackers breached PayPal systems. A code change in the PPWC loan interface created the flaw. Third parties accessed data directly through the open interface. PayPal rolled back the code and blocked access within 24 hours of detection. No law enforcement investigation delayed disclosures.

Exposed information included full names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth. This combination fuels identity theft and business fraud. A small number of accounts saw unauthorized transactions. PayPal issued full refunds to those victims.

The company reset passwords for all affected accounts. Users must create new credentials on next login. PayPal offers two years of free Equifax Complete Premier credit monitoring with $1M identity theft insurance. Enrollment deadline is July 31, 2026, using unique activation codes.

Spokesperson statement: “PayPal’s systems were not compromised. We reached out to approximately 100 customers who were potentially impacted.”

Exposed Data Categories

Data Type	Sensitivity	Fraud Risk
Full Name	High	Identity theft
Email Address	High	Phishing target
Phone Number	High	SIM swap attacks
Business Address	Medium	Corporate targeting
SSN	Critical	Full identity theft
Date of Birth	Critical	Account takeover

SSN + DOB creates complete identity profiles.

Breach Timeline

• July 1, 2025: Faulty code deployed in PPWC application.
• Dec 12, 2025: PayPal detects exposure.
• Dec 13, 2025: Code rollback blocks access.
• Feb 10, 2026: Customer notifications sent.
• Feb 20, 2026: Public disclosure.

Six-month exposure window confirmed.

Immediate Actions for Users

Follow these steps now:

• Review PayPal transaction history for unauthorized activity.
• Enroll in Equifax monitoring using activation code.
• Check credit reports at annualcreditreport.com.
• Place fraud alert with Equifax, Experian, TransUnion.
• Consider credit freeze at all three bureaus (free).

Monitor for 12-24 months post-exposure.

PayPal Remediation Measures

Company implemented these fixes:

• Rolled back problematic code change.
• Reset passwords for all 100 affected accounts.
• Issued refunds for unauthorized transactions.
• Provided 2 years Equifax Complete Premier.
• Enhanced PPWC application security controls.

No broader system compromise occurred.

Fraud Prevention Checklist

Protect against follow-on attacks:

• Enable PayPal MFA if not active.
• Update passwords on linked financial sites.
• Watch for phishing claiming “breach response.”
• Verify suspicious transactions immediately.
• Report SSN misuse to FTC at IdentityTheft.gov.

PayPal never requests credentials via phone/text/email.

High-Risk Customer Profiles

Business owners face elevated threats:

• Small business owners applying for PPWC loans.
• Sole proprietors with personal SSNs on file.
• Companies linking business/personal banking.

Synthetic identity fraud likely outcome.

Regulatory Context

PayPal history shows compliance scrutiny:

• 2023: Credential stuffing hit 35,000 accounts.
• 2025: $2M NY settlement for cybersecurity failures.

Current incident involves internal error, not intrusion.

Victim Support Resources

Service	Provider	Duration	Deadline
3-Bureau Credit Monitoring	Equifax	2 years	July 31, 2026
Identity Theft Insurance	Equifax	$1M	July 31, 2026
Credit Reports	AnnualCreditReport.com	Free weekly	Ongoing
Fraud Alerts	3 Bureaus	1 year	Immediate
Credit Freezes	3 Bureaus	Indefinite	Immediate

FAQ