PayPal is alerting users to a February 2026 data breach that exposed select customer data for nearly six months. This comes after a 2025 software glitch left private information, including Social Security numbers, vulnerable for a similar period.
The PayPal Working Capital (PPWC) loan app, which gives small businesses rapid access to funding, was impacted by the incident.
The highly sensitive personally identifiable information (PII) was compromised, including customers’ names, email addresses, phone numbers, company (business) and physical addresses, Social Security numbers (SSN), and dates of birth. They had been compromised since July 1, 2025, according to PayPal, which discovered the incident on December 12, 2025.
One day after learning of the breach, the financial technology business announced that it had undone the code update that led to the disaster and prevented hackers from accessing the data.
In breach notification letters sent to impacted users, PayPal stated, “On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loan application, the PII of a small number of customers was exposed to unauthorised individuals during the timeframe of July 1, 2025, to December 13, 2025.”
“The code update that caused this problem, which would have exposed the PII, has since been undone by PayPal. No law enforcement inquiry has caused us to postpone this communication.
As a direct result of the incident, PayPal also discovered unauthorised transactions on a few customers’ accounts and has refunded those impacted.
Affected consumers are now eligible for two years of complimentary three-bureau credit monitoring and identity restoration services through Equifax, provided they enrol by June 30, 2026.
Customers who are impacted are encouraged to keep an eye on their credit reports and account activity for any unusual activity. PayPal reminded users that it never calls, texts, or emails users for account passwords, one-time codes, or other authentication credentials—a method frequently employed in phishing attacks that frequently accompany exposures of data breaches.
Additionally, PayPal has reset the passwords for all affected accounts. If users haven’t already, they will be requested to enter new credentials when they log in.
Following a massive credential stuffing attempt that compromised 35,000 accounts between December 6 and December 8, 2022, PayPal informed users of another data breach in January 2023.
In January 2025, two years after the 2022 data breach occurred, New York State announced a $2,000,000 settlement with PayPal on allegations that the company had violated the state’s cybersecurity laws.
Update February 20, 11:38 EST: Following the article’s publication, a PayPal representative informed BleepingComputer that the event exposed the data of about 100 clients and that the company’s systems were not compromised.
“When there is a potential exposure of customer information, PayPal is required to notify affected customers,” the spokesman stated. “PayPal’s systems were not breached in this instance. In order to raise awareness of this issue, we got in touch with the roughly 100 clients who might have been affected.
Use the Resolution Center to report any suspicious activity or look for a formal notification from PayPal if you think your account was impacted.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
