editorially independent. We may make money when you click on links
to our partners.
Learn More
PayPal is notifying customers after a software error in its PayPal Working Capital (PPWC) loan application exposed certain personal information, including social security numbers, for nearly six months in 2025.
Although the company said its core systems were not breached, the issue resulted in potential unauthorized access to sensitive customer data.
“Upon learning about this unauthorized activity, we began an investigation and terminated the unauthorized access to PayPal’s systems,” said PayPal in its breach notification letter.
They added, “A few customers experienced unauthorized transactions on their account and PayPal has issued refunds to these customers.”
How a Coding Error Exposed Customer Data
The incident occurred within PayPal’s Working Capital (PPWC) loan platform, a service that provides short-term financing to small businesses.
According to the company, a code modification introduced into the application inadvertently exposed personally identifiable information (PII) to unauthorized individuals.
The exposure window lasted from Jul. 1, 2025, to Dec. 13, 2025, before the issue was identified.
PayPal said it detected the problem on Dec.12, 2025, and rolled back the faulty code change the following day to prevent further access.
Although PayPal emphasized that its broader systems were not compromised and that approximately 100 customers were potentially affected, the data involved was sensitive.
Exposed information included names, email addresses, phone numbers, business addresses, dates of birth, and Social Security numbers.
The company also confirmed that unauthorized transactions were detected on a small number of impacted accounts and that refunds were issued.
PayPal has not publicly detailed the precise technical mechanism behind the exposure but confirmed that it was caused by an application-level coding issue.
At the time of disclosure, PayPal reported no evidence that its wider infrastructure had been breached.
Because the exposed data included Social Security numbers and dates of birth, it raises the risk of targeted social engineering and account takeover attempts that use accurate personal details to bypass security checks.
Lessons Learned From the PayPal Exposure
In response to the incident, PayPal implemented several immediate remediation measures to contain the exposure and support affected customers.
- Rolled back the code change responsible for the exposure.
- Reset passwords for impacted accounts.
- Issued refunds for unauthorized transactions.
- Offered two years of free three-bureau credit monitoring and identity restoration services through Equifax.
Beyond PayPal’s direct response, the incident highlights broader security lessons and practical controls organizations can adopt to reduce the risk of similar data exposure events.
- Strengthen change management processes by requiring testing, peer review, and post-deployment validation for updates affecting sensitive data.
- Implement data minimization, tokenization, or field-level encryption to reduce exposure of high-risk information such as Social Security numbers.
- Enforce least privilege access controls and network segmentation to limit access to sensitive systems and reduce potential blast radius.
- Enhance logging, monitoring, and data loss prevention controls to detect anomalous access to regulated data fields in real time.
- Prepare for secondary threats by reinforcing multi-factor authentication and user awareness to mitigate phishing campaigns that often follow breach disclosures.
- Integrate application-layer exposures into vulnerability management programs and regularly test incident response plans and tabletop data exposure scenarios.
Collectively, these measures help limit the blast radius of data exposure incidents while reinforcing resilient controls that reduce the likelihood and impact of future events.
Data Exposure Without a System Breach
Although the number of affected customers was limited, the incident shows how application-level errors can lead to the exposure of sensitive data even without a broader system breach.
For financial platforms handling identity and lending data, disciplined change management, layered controls, and continuous monitoring are key to reducing operational risk.
This type of risk also reinforces the value of zero-trust solutions, which are designed to continuously verify access and minimize implicit trust across applications and data environments.
