PayPal is notifying clients of an information breach after a software program error in a mortgage utility uncovered their delicate private data, together with Social Safety numbers, for practically 6 months final yr.
The incident affected the PayPal Working Capital (PPWC) mortgage app, which supplies small companies with fast entry to financing.
PayPal found the breach on December 12, 2025, and decided that clients’ names, e mail addresses, cellphone numbers, enterprise addresses, Social Safety numbers, and dates of start had been uncovered since July 1, 2025.
The monetary expertise firm stated it has reversed the code change that brought about the incident, blocking attackers’ entry to the info at some point after discovering the breach.
“On December 12, 2025, PayPal recognized that resulting from an error in its PayPal Working Capital (“PPWC”) mortgage utility, the PII of a small variety of clients was uncovered to unauthorized people through the timeframe of July 1, 2025 to December 13, 2025,” PayPal stated in breach notification letters despatched to affected customers.
“PayPal has since rolled again the code change accountable for this error, which probably uncovered the PII. We’ve got not delayed this notification because of any legislation enforcement investigation.”
PayPal additionally detected unauthorized transactions on the accounts of a small variety of clients as a direct results of the incident and has issued refunds to these affected.
The corporate now gives affected customers two years of free three-bureau credit score monitoring and identification restoration providers by way of Equifax, which require enrollment by June 30, 2026.
Affected clients are suggested to watch their credit score studies and their account exercise for suspicious transactions. PayPal reminded customers that it by no means requests account passwords, one-time codes, or different authentication credentials through cellphone, textual content, or e mail, a typical tactic utilized in phishing assaults that usually observe knowledge breach disclosures.
PayPal has additionally reset passwords for all impacted accounts and stated that customers can be prompted to create new credentials upon their subsequent login in the event that they haven’t already accomplished so.
In January 2023, PayPal notified clients of one other knowledge breach after a large-scale credential stuffing assault compromised 35,000 accounts between December 6 and December 8, 2022.
Two years later, in January 2025, New York State introduced a $2,000,000 settlement with PayPal over prices that it didn’t adjust to the state’s cybersecurity rules, resulting in the 2022 knowledge breach.
Replace February 20, 11:38 EST: After the article was printed, a PayPal spokesperson advised BleepingComputer that the corporate’s programs weren’t breached and the incident uncovered the info of roughly 100 clients.
“When there’s a potential publicity of buyer data, PayPal is required to inform affected clients,” the spokesperson stated. “On this case, PayPal’s programs weren’t compromised. As such, we contacted the roughly 100 clients who have been probably impacted to offer consciousness on this matter.”
Fashionable IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, learn the way your crew can cut back hidden handbook delays, enhance reliability by way of automated response, and construct and scale clever workflows on high of instruments you already use.
